c 

F 

I 

SI 


enter  for 
oundations  of 
ntelligent 
/stems 


Technical  Report 
97-09 

Modal  Logics  for  Continuous 
Dynamics 

J.  M.  Davoren 

November  1997 


CORNELL 

UNIVERSITY 


625  Rhodes  Hall,  Ithaca,  NY  14853  (607)  255-8005 


REPORT  DOCUMENTATION  PAGE 


Form  Approved 
0MB  NO.  0704-0188 


Public  Reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gadiering 
and  maintaining  the  data  needed,  and  convicting  and  reviewing  the  collection  of  information.  Send  cormnent  regarding  this  burden  estimates  or  any  other  aspect  of  this  collection  of 
information,  including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite 

1204,  Arlington,  VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188,)  Washington,  DC  20S03. _ 

1 .  AGENCY  JSE  ONLY  ( Leave  Blank)  |  2.  .pgPORT  QAXp  |  3.  REPORT  TYPE  AND  DATES  COVERED 


4.  TITLE  AND  SUBTITLE 

Modal  Logics  for  Continuous  Dynamics 


Technical  Report 


5.  FUNDING  NUMBERS 


DAAH04-96-1-0341 


6.  AUTHOR(S) 

Jennifer  Davoren 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Regents  of  the  University  of  California 
c/o  Sponsored  Projects  Office 
336  Sproul  Hall 

Berkeley,  CA  94720'^940 _ 

9.  SPONSORING  /  MONITORING  AGENCY  NAME{S)  AND  ADDRESS(ES) 

U.  S.  Amy  Research  Office 
P.O.  Box  12211 

Research  Triangle  Park,  NC  27709-221 1 


8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 


10.  SPONSORING /MONITORING 
AGENCY  REPORT  NUMBER 


11.  SUPPLEMENTARY  NOTES  ...  ,  , 

The  views,  opinions  and/or  findings  contained  in  this  report  are  those  of  the  authoi^s)  and  should  not  be  construed  as  an  ofncial 
Department  of  the  Army  position,  policy  or  decision,  unless  so  designated  by  the  documentation. 


12  a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited. 


12  b.  DISTRIBUTION  CODE 


13.  ABSTRACT  (Maximum  200  words)  . 

This  work  is  a  formal  investigation  of  a  number  of  bimodal  and  polymodal  logics  built  on  a  base  or 
propositional  S4,  and  Is  a  contribution  to  the  theory  of  hybrid  control  systems.  It  Is  the  first  stage  ot  a 
larger  project  of  developing  logics  for  the  design  and  verification  of  such  systems. 


14.  SUBJECT  TERMS 

topological  propositional  dynamic  logic,  continuity,  hybrid  control  sys^^s 


15.  NUMBER  OF  PAGES 

129 

16.  PRICE  CODE 


17.  SECURITY  CLASSIFICATION 
OR  REPORT 

_ UNCLASSIFIED _ 

NSN  7540.01-280-5500 


18.  SECURITY  CLASSIFICATION 
ON  THIS  PAGE 

UNCLASSIFIED 


19.  SECURITY  CLASSIFICATION 
OF  ABSTRACT 

UNCLASSIFIED  _ 


20.  LIMITATION  OF  ABSTRACT 


Standard  Form  298  (Rev.2-89) 
Prescribed  by  ANSI  Std.  239-18 
298-102 


19980519  161 


Technical  Report 
97-09 

Modal  Logics  for  Continuous 
Dynamics 

J.  M.  Davoren 

November  1997 


DTIC  QUALITY  lUSf^CTED  S 


MODAL  LOGICS  FOR  CONTINUOUS  DYNAMICS 


A  Dissertation 

Presented  to  the  Faculty  of  the  Graduate  School 
of  Cornell  University 

in  Partial  Fulfillment  of  the  Requirements  for  the  Degree  of 

Doctor  of  Philosophy 


by 

Jennifer  M.  Davoren 
January  1998 


MODAL  LOGICS  FOR  CONTINUOUS  DYNAMICS 


Jennifer  M.  Davoren,  Ph.D. 
Cornell  University  1998 


This  work  is  a  formal  investigation  of  a  number  of  bimodal  and  polymodal  logics  built 
on  a  base  of  propositional  S4,  and  is  a  contribution  to  the  theory  of  hybrid  control 
systems.  It  is  the  first  stage  of  a  larger  project  of  developing  logics  for  the  design  and 
verification  of  such  systems.  A  hybrid  control  system  is  a  network  of  finite-state  digital 
machines  which  aet  on  and  react  to  a  dynamically  changing  environment,  where  such 
environments  may  have  mixed  analog  and  digital  states.  Following  Nerode,  I  look 
to  topology  to  provide  a  mediating  link  between  the  analog  and  digital  worlds;  S4 
is  taken  as  a  logical  foundation  since  from  Tarski  and  McKinsey,  it  is  the  logic  of 
topology. 

The  base  logic  S4F  adds  to  the  □  (topological  interior)  of  S4  a  modality  [a]  for 
representing  the  effect  of  an  action  in  an  environment;  [a]  is  interpreted  by  a  total 
function.  In  this  logic,  the  continuity  of  a  function  with  respect  to  a  topology  is 
expressible  by  the  scheme:  [a]D(p  -y  □[ajv?.  In  the  second  stage  of  this  study,  a 
fragment  of  deterministic  propositional  dynamic  logic  DPDL  is  overlaid  on  S4F  to 
produce  a  new  modal  dynamic  logic.  In  the  resulting  logic,  called  TPDL  (topological 
propositional  dynamic  logic),  atomic  actions  are  interpreted  by  continuous  functions, 
and  complex  actions  are  formed  under  the  Kleene  operations  of  composition,  choice 
and  iteration. 

Both  a  Tarski-style  topological  semantics  and  a  Kripke  semantics  are  presented 
for  the  logics.  Building  on  work  of  Grzegorczyk,  I  identify  a  sPbclass  of  topological 
structures  naturally  dual  to  Kripke  frames.  Topologies  in  this  class  are  such  that 
every  point  is  contained  in  a  smallest  open  set.  As  argued  by  Nerode,  these  are 
precisely  the  topologies  needed  to  give  an  account  of  analog-to-digital  conversion. 

In  addition  to  Hilbert-style  axiomatizations,  tableaux  proof  systems  are  presented 
for  each  of  the  logics  and  proved  complete.  The  tableaux  completeness  proofs  con¬ 
struct  countable  To  topologies  whose  elements  are  functional  terms,  in  which  the 
term  constructor  functions  are  continuous.  Finite  quotients  of  the  term  model  are 
obtained,  so  establishing  the  decidability  of  each  of  the  logics. 


Just  as  this  investigation  was  being  completed,  the  author  obtained  abstracts  of 
very  recent  work  by  Kremer,  Mints  and  Rybakov  on  “Dynamic  Topological  Logics” 
(DTL’s),  which  are  S4-based  propositional  dynamic  logics.  Their  logics  include 
a  “next”  operator  corresponding  to  the  [a]  modality,  for  a  single  atomic  action  a, 
and  a  “star”  operator  corresponding  to  [a*]  for  atomic  a.  The  abstracts  announce 
axiomatizations  of  various  fragments;  for  example,  the  star-free  fragment  of  the  logic 
DTLw  of  homeomorphic  functions. 
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Chapter  1 


Modal  Logics  for  Continuous 
Dynamics 


1.1  Introduction 

This  work  is  principally  a  formal  investigation  of  a  number  of  modal  logics  —  bimodal 
and  polymodal  logics  built  on  a  base  of  propositional  S4.  These  logics  have  been 
developed  as  a  contribution  to  the  theory  of  hybrid  control  systems,  and  this  work 
is  the  first  stage  of  a  larger  project  of  developing  logics  for  the  design,  specification, 
and  verification  of  such  systems.  Broadly  described,  a  hybrid  control  system  is  a 
network  of  finite-state  digital  machines  which  react  to  and  act  on  a  dynamically 
changing  environment,  where  such  environments  may  have  mixed  analog  and  digital 
states.  Research  in  the  emerging  area  of  hybrid  systems  is  aimed  at  providing  reliable, 
formally  verified,  computer  control  of  physical  processes,  such  as  aircraft,  power  grids, 
and  manufacturing  facilities. 

There  is  a  fundamental  tension  between  the  sorts  of  mathematical  structures  used 
to  represent  analog  or  physical  processes,  and  the  sorts  of  structures  used  to  represent 
digital  devices;  indeed,  much  of  the  effort  in  the  research  area  of  hybrid  systems  lies 
in  addressing  this  tension. 

In  the  analog  or  “continuous”  world  view,  physical  processes  are  usually  modelled 
as  some  form  of  input /output  dynamical  system,  or  more  abstractly,  as  a  collection 
of  vector  fields,  where  the  state  space  is  usually  embeddable  in  a  Euclidean  space  R" 
and  so  contains  continuum-many  points;  in  such  models,  states  evolve  on  trajectories 
x{t)  changing  continuously  with  (real)  time  t  £  R"!". 

In  the  digital  or  “discrete”  world  view^,  a  digital  device  or  program  is  usually 

^I  will  use  the  pair  “analog/digital”  rather  than  “continuous/discrete”  to  mark 
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modelled  as  some  form  of  finite  automaton,  with  finitely  many  states  and  finite  input 
and  output  alphabets;  state  transitions  are  modelled  as  occurring  in  discrete  steps, 
so  time  moments  are  usually  positive  integers  n  6  N. 

Following  [NK93a],  I  look  to  topology  to  provide  a  mediating  link  between  these 
two  competing  world-views.  Propositional  S4  is  taken  as  a  logical  foundation  since 
from  McKinsey  [McK41]  and  Tarski  and  McKinsey  [MT44],  it  is  the  logic  of  topology. 


1.2  Agents  and  Actions 

The  next  two  sections  are  devoted  to  identifying  central  concepts  and  laying  out  a 
broad  framework,  with  the  intention  of  motivating  the  logics  developed  in  subsequent 
chapters.  An  overview  of  the  logics  themselves  is  given  in  Section  1.4.  The  framework 
given  here  is  loosely  based  on  Nerode  and  Kohn’s  “Multiple  Agent  Hybrid  Control  Ar¬ 
chitecture  (MAHCA)”  2  [KN92],  [NK93b],  [NK93c],  [KJN-f95],  [KR97].  It  might  best 
be  described  as  an  attempt  to  identify  the  abstract  form  of  the  MAHCA  framework, 
simplified  to  a  single  agent. 

Starting  informally,  an  agent^  is  a  “dumb”  finite  machine  operating  in  and  in¬ 
teracting  with  a  complex  environment  that  includes  real  or  “continuous”  space  and 
time.  Its  fundamental  operational  sequence  consists  of  answering  the  questions: 

•  “What  is  the  current  state  of  the  environment?”,  or  more  simply,  “Where  am  I 
now?”; 

•  “What  state  should  the  environment  be  in?”,  or  “What  is  my  next  goal?”;  and 

the  distinction,  reserving  the  term  “continuous”  for  the  property  of  functions. 

The  core  of  Kohn-Nerode  MAHCA  framework  is  a  procedure  which,  given  a  per¬ 
formance  specification  expressed  as  an  optimization  problem  of  a  specific  form,  ex¬ 
tracts  an  e-optimal  feedback  control  function  7  :  AT  ->(7,  where  X  is  the  state  space 
and  C  C  R"  is  a  space  of  control  values.  The  procedure  draws  on  differential  geom¬ 
etry,  calculus  of  variations,  optimal  control  theory  and  dynamic  programming.  This 
procedure  is  not  discussed  here.  See  also  [KNR95],  [KNR96b],  [KNR96b],  [BV97]. 

^Although  engaging  in  a  not  dissimilar  endeavor,  the  present  work  does  not  engage 
directly  with  studies  in  philosophical  logic  on  the  logic  of  (human)  action  (see,  for  ex¬ 
ample,  Segerberg’s  survey  [Seg92]  and  other  papers  in  that  issue  of  Studia  Logica,  or 
Horty  and  Belnap  s  [HB95])  or  the  AI  literature  on  action  and  change  using  the  situa¬ 
tion  calculus  and  non-monotonic  logics  (see,  for  example,  Shoham’s  Reasoning  About 
Change  [Sho88]  and  the  recent  work  of  Shanahan  [Sha97]  on  the  “Frame  problem”). 


•  “What  action  can  be  taken  that  will  realize  the  desired  goal?”,  or  “What  do  I 
need  to  do  to  get  there?” 

and  then  performing  the  designated  action. 

So,  an  agent  acts  in  an  environment  in  order  to  bring  about  a  change  in  that 
environment.  I  take  a  control  agent^  to  be  any  finite  machine  that  can; 

(a)  sense;  acquire  input  from  its  environment,  e.g.  take  sensor  readings  of  various 
components  of  the  state  of  its  environment. 

(b)  act;  effect  change  in  its  environment  by  performing  one,  or  a  sequence,  of  its 
primitive  actions. 

(c)  convert  data; 

(i)  convert  sense  data  into  digital  form,  suitable  as  input  for  internal  finite 
automata,  and 

(ii)  translate  symbolic  action  instructions,  which  are  digital  output  from  an 
internal  finite  automaton,  into  action. 

(d)  use  knowledge;  access  a  “knowledge  base”  which  includes  symbolic  descrip¬ 
tions  of  the  known  or  predicted  effects  of  its  actions  on  the  environment,  say  of 
the  form; 

if  the  current  state  is  in  region  A  and  action  a  is  performed 
then  the  resulting  state  is  in  region  B 

where  A  and  B  are  symbolically  described  regions  or  sets  of  states  of  the  envi¬ 
ronment,  and  a  is  a  symbolic  representation  of  an  action. 

(e)  plan;  formulate  goals,  where  a  goal  is  a  symbolically  described  region  G  of 
the  environment.  The  planning  module  is  some  form  of  finite  state  automaton, 
internal  to  the  agent,  which  takes  as  input  digitalized  sense  data  i  and  utilizes 
the  knowledge  base  to  produce  a  symbolic  G  as  output. 

(f)  compute:  given  as  input  digitalized  sense  data  i  and  a  goal  G,  and  utilizing 
the  knowledge  base,  determine  by  finite  computation  whether  there  is  an  action 
it  could  perform  that  would  realize  the  given  goal;  if  so,  output  the  symbolic 
action  instruction  a  for  that  action.  This  module  is  also  some  form  of  finite 
state  automaton. 

‘‘The  properties  listed  here  are  implicit  in  the  description  of  the  MAHCA  “agent 
controllers”  in  [KN92],  [NK93b],  [NK93c],  [KJN-l-95],  [KR97]. 
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(g)  adapt:  whenever  a  computation  of  type  (f)  fails,  report  the  failure  to  the 
planning  module,  which  reformulates  the  goal;  failure  may  also  be  reported  to 
the  knowledge  base  if  the  language  is  sufficiently  expressive. 

In  looking  for  logics  appropriate  for  such  agents,  I  take  the  objective  to  be  two-fold: 

(1.)  Identify  formal  languages  and  logics  suitable  for  the  “knowledge  base”  of  an 
agent,  so  that  the  computation  in  (f)  might  be  assisted  by  an  internal  on-line 
automated  theorem  prover,  as  in  the  MAHCA  architecture.  If  G  is  the  symbol¬ 
ically  described  goal  state,  and  from  digitalized  sense  data  input  i,  it  is  deter¬ 
mined  that  C  symbolically  describes  the  current  region,  then  the  computation 
in  (f)  has  to  find  a  symbolic  action  instruction  a  such  that  the  sentence: 

if  the  current  state  is  in  region  C  and  action  a  is  performed 
then  the  resulting  state  is  in  region  G 

is  provable  from  the  knowledge  base,  as  formalized  in  some  language  and  logic. 

(2.)  Identify  formal  languages  and  logics  suitable  for  (external  or  off-line)  reasoning 
about  the  behavior  of  an  agent  and  its  interactions  with  the  environment,  for 
the  use  in  the  formal  specification  and  verification  of  such  systems. 

The  modal  logics  investigated  in  this  work  go  some  way  towards  both  (1.)  and 
(2.).  Regions  of  the  state  space  are  denoted  by  modal  propositional  formulas,  and 
the  language  includes  “action  modalities”  [<z],  so  that  the  formula: 

C  [a]G 

means: 

if  C,  then  action  a  will  always  make  it  the  case  that  G 

But  being  propositional  logics,  they  are  limited  in  their  expressive  power.  In  first- 
order  extensions  of  these  logics,  one  would  have  a  richer  vocabulary  with  which  to 
desCTibe  regions  of  the  environment.  A  further  stage  in  this  project  is  to  investigate 
decidable  fragments  of  such  first-order  extensions. 

Having  outlined  the  sort  of  entity  an  agent  might  be,  what  is  an  action!  Starting 
naively,  and  taking  the  simplest  case  first,  I  think  of  an  action  as  anything  an  agent 
can  do  whose  effect  can  be  modelled  deterministically  as  a  total  function  f  :  X  X, 
where  the  state  space  X  is  a  representation  of  the  agent's  environment. 

For  example,  an  agent  might  be  part  of  an  automated  control  system  in  a  man¬ 
ufacturing  plant,  say  a  machine  that  supervises  a  tank  of  liquid  chemicals.  Points 
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X  =  (xi,  6  X  might  include  coordinates  x,  for  the  liquid  volume,  temperature, 

and  concentration  of  various  chemicals  in  a  tank.  Global  or  real  time  t  €  R''"  is  likely 
to  be  a  distinguished  coordinate  of  the  state  space  X-,  perhaps  also  a  relative  time  or 
“clock”  coordinate  such  a.s  the  time  since  a  particular  event  took  place.  In  addition  to 
real  valued  coordinates  a;,,  there  could  also  be  discrete  valued  coordinates  represent¬ 
ing  data  like  whether  a  particular  switch  is  on  or  off®.  The  state  space  X  could  also  be 
expanded  to  include  coordinates  for  the  agent’s  own  internal  states,  since  the  agent 
itself  lives  in  its  environment.  For  an  agent  in  such  a  system,  an  action  might  be 
adding  a  certain  quantity  of  a  chemical  to  a  tank,  physically  brought  about  by  send¬ 
ing  electrical  (analog)  signals  which  activate  various  mechanical  devices  (actuators). 
The  mathematical  representation  f{x)  of  the  effect  of  this  action  on  a  state  x  might 
be  a  prediction  of  what  the  volume,  temperature  and  chemical  concentrations  etc. 
will  be  60  seconds  later,  with  the  global  time  coordinate  incremented  by  60  seconds, 
assuming  it  takes  say  15  seconds  for  the  chemicals  to  actually  get  in  the  tank. 

The  mathematics  involved  in  modelling  and  predicting  the  effect  of  an  action  in 
a  physical  system  may  draw  on  work  in  differential  equations,  functional  analysis, 
calculus  of  variations,  dynamical  systems,  differential  geometry,  linear  and  nonlinear 
systems  theory,  and  whatever  else  is  useful.  In  a  mathematical  model  of  the  effect  of 
an  action,  call  it  QJlanaiogj  the  state  space  X  representing  the  environment  will  usually 
be  imbued  with  a  great  deal  of  rich  mathematical  structure. 

In  the  paradigmatic  case,  QJlanaiog  imbues  X  with  the  structure  of  a  C°°  or  C’’ 
differentiable  manifold  and  includes  a  coordinate  for  positive  real  time,  say  X  =  Y  x 
R"*".  In  this  case,  the  function  f  :  X  X  is  obtained  from  the  flow  F  :  Y  x  R"^  — >■  Y 
of  a  vector  field  v  on  Y.  A  vector  field  defines  a  system  of  differential  equations, 
which  in  favorable  circumstances  has  a  unique  solution  for  each  initial  condition;  the 
flow  is  the  family  of  solutions  or  trajectories  y{t)  expressed  as  a  function  of  initial 
conditions  and  time.  Flows  can  also  be  written  as  a  family  {Ft}tgR+  of  evolution 
operators  Ft  :  Y  Y  given  by  Ft{y)  =  F{y,t),  which  represent  how  a  point  y  E  Y 
(i.e.  without  the  temporal  coordinate)  will  evolve  according  to  vector  field  v  over  a 
time  interval  of  duration  t.  The  evolution  operators  satisfy  the  semigroup  axioms: 

Fo  =  Ik  and  F^o  Ft  =  Ft+s 

for  t,s  E  R"*",  where  Ik  is  the  identity  function  on  Y.  These  equations  are  also 
known  as  the  Chapman-Kolmogorov  laws,  and  are  taken  to  express  a  principle  of 
determinism  ([AMR83],  §4.1). 

In  this  setting,  a  primitive  action  might  be  represented  as  a  switching  of  vector 
fields.  Let  t;,u  be  vector  fields  on  Y,  with  flows  F,G  :  Y  x  Y,  respectively. 

®See  [KNR96b]  for  a  discussion  of  ways  “continualizing”  digital  states  so  that  they 
may  be  treated  on  an  equal  footing  with  real-valued  ananlog  states. 


Causing  some  event  to  occur  t  units  of  time  hence,  then  allowing  the  process  to  evolve 
for  a  further  s  units  of  time,  amounts  to: 

the  process  evolving  according  to  vector  field  v  for  time  duration  t, 
then  being  switched  to  vector  field  u  for  a  further  time  duration  s.' 

Then  the  effect  on  a  point  x  —  (y,  r)  is  given  by: 

f{^)  =  /(y,  r)  =  {{G,  0  F<)(y),  r  +  t  +  s) 

(In  the  chemical  tank  example,  <  =  15  and  5  =  45  seconds.)®  Alternatively,  a  primitive 
action  might  amount  to  choosing  to  stay  on  the  same  vector  field.  In  that  case,  we 
have  u  v  and  G  =  F ,  so  the  effect  on  a  point  x  =  (y,  t)  is  given  by: 

fi^)  =  /(y,  r)  =  ((F,  o  F)(y),  T  +  t  +  s)  =  (Ft+fiy),  r  +  t  +  s) 

Clearly,  the  effect  of  a  single  action  can  admit  many  different  representations  /: 
one  can  keep  the  same  pair  of  vector  fields  but  vary  the  time  durations  t  and 
or  one  may  refine  the  modelling  to  produce  a  new  pair  of  vector  fields.  For  now' 
something  gets  to  be  called  an  action  if  someone,  somewhere,  can  represent  it  as  one 
or  more  systems  of  differential  equations  with  unique  solutions,  solve  those  equations 
and  report  back,  preferably  with  a  nice  computable  formula  for  /. 

To  obtain  a  deterministic  representation  of  the  effect  of  an  action,  many  simplify¬ 
ing  assumptions  have  to  be  built  in  to  the  model  9Jla„aiog^  There  are  inevitably  some 
factors  in  the  dynamics  of  the  situation  that  have  to  be  ignored  for  the  purposes  of 
modelling;  the  world  (environment)  is  invariably  more  complicated  than  any  mathe¬ 
matical  model  of  it.  In  particular,  deterministic  models  must  ignore  the  imprecision 
with  which  an  agent  interacts  with  the  world.  Such  modelling  will  have  to  assume 
that  an  agent’s  actuators  behave  perfectly  and  are  perfectly  precise;  for  example,  that 
precisely  g  grams  of  some-chemical  is  added  to  a  certain  location  in  the  tank  precisely 
t  seconds  after  a  signal  is  received.  Such  models  also  leave  no  room  to  talk  about 
the  precision  of  an  agent’s  sensors  since  the  modelling  is  based  on  the  mathematical 
representation  of  a  point  x  in  the  state  space,  not  on  any  sensor  reading  of  x. 


®The  “switching  vector  fields”  idea  of  action  seems  not  incompatible  with  von 
Wright  s  conception  of  action  in  his  Causality  and  Determinism  [vW74]  (quoted  in 
[Seg92]):  “To  act  is  to  interfere  with  the  course  of  the  world,  thereby  making  true 
something  which  would  not  otherwise  (i.e.  had  it  not  been  for  this  interference)  come 
to  be  true  of  the  world  at  that  stage  of  its  history.”  (p.39) 

^Simplifying  assumptions  are  also  required  for  a  non-deterministic  modelling  as  a 
set-valued  function  f  •.  X  ^{X),  though  usually  fewer  of  them. 


1.3  Topologies  and  Continuity 

One  of  the  novel  ideas  in  [NK93a]  is  to  use  a  topology  on  the  state  space  to  reflect 
the  imprecision  with  which  an  agent  interacts  with  the  world,  and  more  generally, 
to  provide  a  layer  of  meaning  which  mediates  between  the  analog  and  digital  world 
views. 

Formally,  a  topology  Tom,  space  X  is  any  family  of  subsets  of  X  that  is  closed 
under  finite  intersections  and  arbitrary  unions,  and  contains  the  empty  set  0  and  the 
whole  space  X.  Sets  U  &  T  are  called  open  (relative  to  T). 

Topologies  are  often  represented  by  a  family  Br  QT  of  basic  open  sets,  with  the 
property  that  whenever  U  is  open  and  x  E  U,  there  is  a  basic  open  set  B  G  Br  such 
that  X  G  B  and  B  C  U.  So  the  basic  open  sets  are  the  small  open  sets,  and  every 
open  set  is  a  union  of  basic  open  sets. 

Think  of  the  basic  open  sets  of  a  topology  T  on  a  state  space  X  as  the  simple 
meaningful  regions  of  X.  Such  sets  act  as  a  collection  of  lenses  or  filters  which  mediate 
between  an  agent  and  its  environment,  as  represented  by  X.  Thought  of  as  lenses, 
the  basic  open  sets  reflect  the  precision  with  which  points  in  X  can  be  discriminated. 
Thought  of  as  filters,  the  basic  open  sets  are  what  an  agent  uses  to  make  sense  of  or 
give  meaning  to,  continuum-much  information. 

For  example,  the  standard  topology  Tr™  on  Euclidean  space  R"  (or  more  generally, 
any  metric  space)  has  as  a  basis  the  collection  of  all  balls  B{x,  e)  —  the  points  y  of 
distance  less  than  e  from  x  —  for  all  x  and  all  real  numbers  c  >  0.  This  means 
that  any  two  distinct  points  x  and  y  can  be  distinguished  by  disjoint  balls  B{x,  e) 
and  B(y,  e)  by  taking  c  less  than  half  the  distance  them,  no  matter  how  small  that 
is,  and  for  any  ball  around  x,  there  is  a  yet  smaller  ball  inside  it.  So  Tr™  can  be 
thought  of  as  a  topology  of  perfect  or  infinite  precision,  generated  by  uncountably 
many  “meaningful  regions”  B{x,e)  shrinking  down  to  a  point  x. 

In  the  models  QJlanaiog,  where  X  is  a  C°°  or  C”  differentiable  manifold,  the  topol¬ 
ogy  TInaiog  is  inherited  from  the  differential  structure;  X  is  locally  “identical”  (home- 
omorphic)  with  an  open  subset  of  R”  for  some  n,  so  TInalog  will  be  a  perfect  precision 
topology. 

On  the  other  hand,  for  any  physically  realizable  agent,  there  are  intrinsic  limits 
to  the  precision  with  which  it  can  interact  with  its  environment.  Perfect  precision 
is  not  implementable,  and  single  points  in  space  and  time  are  not  physically  mean¬ 
ingful.  For  example,  no  physically  realizable  sensor  can  discriminate  between  points 
whose  distance  apart  is  smaller  than  the  altitude  of  light  waves.  Likewise,  no  phys¬ 
ically  realizable  clock  can  discriminate  between  time  instances  closer  together  than, 
say,  the  period  of  the  harmonic  oscillation  of  an  electron  in  a  helium  atom.  In  the 
world  as  we  know  it,  there  are  smallest  discernible  regions  of  space  and  time.  For 
any  particular  agent  and  its  environment,  there  will  always  be  smallest  meaningful 


quantities^  of  temperature  or  volume  or  whatever,  which  mark  the  limits  of  its  powers 
of  discrimination. 


Call  a  topology  Ton  X  a  digital  topology  or  D-topology  if  every  point  x  is  contained 
in  a  smallest  open  set  (relative  to  T)®. 

So  T  is  a  D-topology  on  X  exactly  when,  for  each  x  e  X,  the  intersection  of  all 
open  sets  containing  x: 

=  f|{f/  er\xeU} 

is  itself  open,  and  so  is  the  smallest  open  set  containing  x.  The  D-topology  condition  is 
the  requirement  that  any  descending  chain  of  smaller  and  smaller  open  sets  containing 
a  point  X  must  eventually  stop,  marking  the  limits  of  discrimination,  and  the  region 
Bx  at  which  this  descent  stops  is  the  smallest  meaningful  region  containing  the  point 
X.  It  is  readily  shown  that  the  collection  of  all  such  B^'s  forms  a  basis  for  the  topology 
T.  Points  X  and  y  are  indistinguishable  through  the  lenses  of  T,  or  have  the  same 
meaning  relative  to  T ,  exactly  when  x  and  y  share  the  same  basic  open  set  in  T’  i  e 
Bx  =By.  ,  .  . 

From  within  the  world  view  of  analog  mathematics,  D-topologies  may  seem  quite 
bizarre;  they  lack  the  “separation”  properties  that  are  taken  for  granted  from  Chapter 
2  onwards  of  most  texts  in  analysis  or  topology  or  their  applications.  A  D-space  {X,  T) 
is  Hausdorflf  or  even  Ti  only  in  the  trivial  case  when  the  topology  T  is  discrete  (i.e. 
every  subset  of  X  is  open,  and  supposedly  “meaningful”.) 

But  in  the  digital  world  view,  D-topologies  are  just  the  trick.  A  D-topology  on  an 
state  space  X  with  continuum-many  points  is  a  set  of  lenses  through  which  one  can 
get  a  digital  view  of  an  analog  world,  or  a  set  of  filters  in  virtue  of  which  a  “dumb” 
agent  can  make  sense  of  continuum-much  information. 

From  [NK93a],  a  D-topology  T  on  X  naturally  defines  an  analog-to-digital  con¬ 
version.  Let  {5,},g/  be  the  collection  of  distinct  sets  B,-  such  that  Bi  =  =  Pl{^  € 

*These  topologies  are'identified  in  [NK93a],  §5.2,  by  the  name  “A D-topologies”  to 
emphasize  that  they  are  topologies  suitable  for  describing  analog-to-digital  conversion. 
There,  the  term  small  topology”  is  also  used  to  refer  to  any  subtopology  of  the 
standard  topology  on  a  state  space.  Any  finite  small  topology  is  a  D-topology. 

D-topologies  were  first  identified  by  Grzegorczyk  in  [Grz67],  where  they  are  given 
the  name  totally  distributive”  topologies.  There,  the  defining  property  is: 

c/r(A)  =  U^^^c/r({x}) 

for  all  A  C  AT.  This  is  equivalent  to  the  property  that  an  arbitrary  union  of  closed 
sets  is  closed,  or  dually,  an  arbitrary  intersection  of  open  sets  is  open;  these  properties 
are  in  turn  equivalent  to  the  defining  property  of  D-topologies. 
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T  I  X  €  t/}  for  some  x  €  X,  where  /  is  a  (possibly  infinite)  discrete  index  set.  Then 
define  a  map  AD  :  X  ->  /  by  AD{x)  =  i  iff  Bi  =  Bx.  So  AD  identifies  points  that 
belong  to  the  same  smallest  open  set  in  T,  and  hence  belong  to  all  the  same  open  sets 
in  T.  When  I  is  finite,  the  AD  map  models  the  conversion  of  sense  data  into  digital 
data  suitable  as  input  for  internal  finite  automata,  as  required  in  the  description  of 
an  agent.  Mathematically,  the  AD  map  is  just  the  Stone  To  quotient  map;  we  return 
to  this  point  in  Section  3.3. 

For  a  given  agent  with  a  set  of  primitive  actions  denoted  by  let 

®tanaiog  ~  (X,  Vanaiogj  "{yj  Tmore  structure) 

denote  the  mathematical  structure  in  which  the  functions  :  X  — )■  X  come  from 
the  flows  of  pairs  of  vector  fields  associated  with  actions  aj.  Now  take  a  D-topology 
Tdigitai  which  is  a  subtopology  of  Tlnaiogi  i-e.  Tdigital  contains  only  some  of  the  open 
sets  of  TInaiogj  but  is  closed  under  arbitrary  intersections  (as  well  as  arbitrary  unions). 
Structures  of  the  form: 

9^digital  —  (X,  Tdigital)  {/j}j6x) 

are  the  ones  to  keep  in  mind  for  the  logics  subsequently  developed  in  this  investigation. 

How  might  one  find  a  D-topology  on  X?  One  sure  way  is  to  start  with  a  finite 
open  cover  X  =  Uib<m  ^4  of  sets  Uk  open  in  the  original  topology  TInaiog)  then  let 
Tdigital  be  the  topology  obtained  by  taking  all  (finite)  unions  and  intersections  of  the 
UkS.  The  basic  open  sets  will  be  those  sets  Bi  that  are  join-irreducible  in  Tdigital) 
considered  cis  a  lattice  of  sets;  i.e.  with  the  property  that  whenever  Bi  C  U  UV  then 
either  Bi  Q  U  or  Bi  C  V.  Such  a  Tdigital  will  be  a  finite  topology;  i.e.  the  total 
number  of  open  sets  is  finite,  and  all  finite  topologies  are  D-topologies. 

If  X  is  compact  in  the  original  topology  TI„aiog)  then  we  at  least  know  there  is  a 
finite  open  cover  X  =  Ujfe<m 

A  harder  question:  How  might  one  go  about  finding  an  open  cover,  and  thence  a 
D-topology,  which  directly  encodes  a  particular  agent’s  (current)  level  of  imprecision, 
and  includes  regions  of  the  state  space  that  are  appropriately  meaningful  for  the 
agent,  and  open  in  the  original  topology  Tinaiog? 

Suppose  the  coordinates  of  points  x  ^  X  =  Y  x  T  in  the  state  space  are  x  = 
(xi,...,Xn, t),  with  time  t  €  T  C  R.  As  a  start,  identify  a  precision  limit  Si  >  0  for 
each  non-temporal  real-valued  coordinate  a:,;  i.e.  differences  between  values  x,  and 
x'i  smaller  than  Si  are  not  meaningful  for  the  agent.  Use  the  Si  as  the  measure  of  the 
smallest  open  set  in  the  projection  X,-  of  X  onto  its  coordinate,  so  any  interval 
must  be  of  length  at  least  Si.  Then  try  to  identify  critical  or  threshold  values  c  which 
when  detected  by  the  agent  should  instigate  action,  and  add  intervals,  say  of  the 
form: 

(c  -  Si,  c  -h  ^i)  =  {a;.-  eXi\c-Si<Xi<c-\-  5,} 
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(of  length  2Si,  just  for  good  measure).  For  example,  x,-  is  temperature  and  c  =  100° 
Celsius  so  water  is  boiling.  A  meaningful  region  of  Xi  might  be  any  subset  that  can  be 
defined  by  a  finite  set  of  strict  inequalities  or  constraints^,  subject  to  the  requirement 
that  the  intersection  of  any  collection  of  meaningful  regions  is  of  size  at  least  Si,  so  still 
meaningful.  Digital  coordinates  x,,  say  x,  G  {0, 1},  can  be  embedded  into  an  interval 
in  the  reals  and  treated  similarly.  Say  treat  x,-  a.s  a  value  in  the  open  real  interval  (0, 1) 
and  cover  it  with  (0,i)  and  (§,1)  together  with  the  whole  interval  (0, 1).  A  finite 
cover  of  the  non-temporal  part  Y  of  the  state  space  might  then  be  pieced  together 
from  finite  covers  of  its  coordinate  projections.  For  the  time  coordinate  t  €  T,  one 
may  want  to  proceed  differently^®.  One  should  still  identify  a  precision  limit  5  >  0, 
but  instead  of  a  finite  open  cover,  it  may  make  more  sense  to  take  a  countable  open 
cover  of  intervals  with  intersections  of  at  least  length  5.  This  still  gives  a  D-topology, 
and  the  ^  >  0  lower  bound  ensures  that  any  sequence  {4}  of  timings  associated  with 
a  sequence  of  actions  is  non-Zeno  or  realizable^^ ,  meaning  only  a  finite  number  of 
actions  can  occur  in  a  finite  interval  of  time.  The  task  of  systematically  generating 
“meaningful”  open  covers  is  a  worthy  object  of  further  investigation,  but  it  is  not 
pursued  here. 

The  last  in  my  shopping  list  of  concepts  is  continuity.  Informally,  a  function  /  on 
a  space  X  is  continuous  if  a  small  variation  between  x  and  y  gives  rise  to  only  a  small 
variation  between  /(x)  and  f{y).  Thinking  of  /  as  the  effect  of  an  action,  continuity 
seems  like  a  most  pleasant  and  desirable  property:  the  action  doesn’t  give  rise  to 

big  “jumps”  or  “gaps”.  Of  course,  a  formal  account  of  “small  variation”  requires 
reference  to  a  topology. 

Formally,  a  function  f  :  X  X  is  continuous  with  respect  to  a  topology  'T  on 
X  if  whenever  a  set  U  is  open,  then  the  set  of  points  x  which  get  mapped  by  /  into 
U  is  also  open,  relative  to  T;  more  succinctly,  “the  inverse-image  under  /  of  an  open 
set  is  open”,  where  the  inverse-image  is: 

r\u)  =  {x  I  /(x)  G  u} 

If  the  open  sets  in  T  are  the  meaningful  or  discernible  regions  of  the  state  space,  then 
the  continuity  of  /  means  that  whenever  U  is  meaningful  or  discernible,  then  so  is 
the  set  f~^{U)  of  points  which  get  mapped  by  /  into  U. 

In  the  model  SJlanaiog  above,  the  functions  fjiX  — y  X  are  obtained  from  compo¬ 
sitions  of  evolution  operators  of  flows  of  vector  fields.  Under  suitable  hypotheses,  a 

So  we  will  need  a  first-order  logic  if  we  are  to  define  such  regions  within  the  formal 
language. 

The  issue  of  time  as  a  distinguished  variable  will  be  addressed  in  future  investi¬ 
gations. 

"The  notion  of  a  realizable  sequence  of  times  is  defined  in  [NK93a],  §2. 


C""  vector  field  has  a  C  flow'^,  so  the  fj  are  always  continuous  with  respect  to  the 
original  topology  TInaiog  (although  their  derivatives  are  likely  to  be  discontinuous  at 
points  where  the  vector  field  switches).  Note,  however,  that  even  when  Tdigitai  is  a 
subtopology  of  TInaiog,  the  continuity  of  fj  w.r.t.  the  larger  topology  TInaiog  implies 
nothing  about  the  continuity  of  fj  w.r.t.  the  smaller  topology  Tdigitai-  (And  con¬ 
versely,  continuity  w.r.t.  a  subtopology  implies  nothing  about  continuity  w.r.t.  the 
full  topology.) 

In  the  case  when  Tdigitai  is  a  finite  topology,  say  from  a  finite  open  cover  in  TInaiog, 
with  bcLsic  open  sets  {5,},<„,  we  have  for  each  i  <  n, 

for  some  index  set  J,-  C  {0,...,n  —  1},  since  f~^{Bi)  being  open  is  a  union  of  basic 
open  sets  in  Tdigitai-  This  means  one  can  write  out  all  the  basic  inclusion  relations, 
for  each  i  <  n  and  j  G  J,-, 

Bi  C 
i.e. 

if  X  6  Bj  then  f(x)  G  Bi 

which  completely  map  out  the  behavior  of  /  on  open  sets.  When  /  represents  the 
effect  of  an  action  a,  this  translates  as: 


if  Bj  then  action  a  will  always  make  it  the  case  that  Bi 

A  symbolic  representation  of  such  inclusions  is  the  sort  of  thing  that  should  be  found 
in  the  knowledge  base  of  an  agent. 

More  generally,  when  /  is  continuous  with  respect  to  any  D-topology  Tdigitai  on  X, 
then  whenever  x  and  y  share  the  same  smallest  open  set,  and  so  are  indistinguishable 
through  the  lense? of  Tdigitai,  or  have  the  same  meaning  relative  to  Tdigitai,  their  images 
f{x)  and  f{y)  will  also  share  the  same  smallest  open  set  and  so  be  indistinguishable 
relative  to  Tdigitai-  So  the  continuity  of  /  with  respect  to  Tdigitai  means  that  the  action 
represented  by  /  respects  or  preserves  the  precision  limitations  and  meanings  of  the 
agent,  as  those  limitations  and  meanings  are  reflected  in  Tdigitai- 

So  as  argued  in  [NK93a],  continuity  of  /  with  respect  to  a  suitable  D-topology 
can  be  construed  as  a  performance  specification.  To  formally  verify  that  such  a 
specification  is  satisfied,  we  need  a  logic  in  which  the  purely  topological  notion  of 
continuity  is  expressible. 


^^A  C  function  is  continuous,  and  for  1  <  n  <  r,  its 


derivative  is  also  contin¬ 


uous. 
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1.4  Overview  of  the  Logics 

Starting  from  first  principles,  I  begin  by  looking  for  the  simplest  logic  available  in 
which  the  purely  topological  notion  of  continuity  is  expressible.  From  the  definition; 
“the  inverse-image  of  an  open  set  is  open”,  the  two  ingredients  are  open  sets  and 
functions,  so  both  must  be  expressible  in  the  logic.  The  investigation  starts  with 
a  bimodal  logic  S4F  combining  two  “off-the-shelf”  logics:  propositional  S4  and  a 
modal  logic  known  as  KF  (“F”  for  “function”). 

From  McKinsey  and  Tarski  in  [McK41]  and  [MT44],  the  S4  axioms  for  □,  namely; 

□K  :  □(y?  ->  ^)  ->  _4 

□T :  Dip-^ip 

□4  :  □(/? 

characterize  the  interior  operator  of  a  topology,  and  dually,  the  S4  O  corresponds  to 
the  closure  operator.  A  set  is  open  in  a  topology  when  it  is  equal  to  its  own  interior,  so 
ip  is  open  is  expressed  by  the  formula  (p  0(^0.  In  the  relational  Kripke  semantics 
[Kri63],  S4  is  the  logic  of  reflexive  and  transitive  binary  relations.  Continuing  the 
metaphors  of  the  basic  open  sets  of  a  topology  as  a  set  of  lenses  or  filters,  the  formula 
might  be  read  as  “discernibly  ip”  or  “meaningfully  ip” ,  since 

=  inirttM) 

is  the  union  of  all  basic  open  sets  contained  in  ||(,c)||. 

The  axioms  for  the  “Box”  modality  of  KF  —  here  [a]  for  “action”  —  are: 

[a]K  :  [o\{ip  — >•  •0)  — f  (\a\ip  [a]0) 

[a]F  ;  [a]ip  (a)^ 

where  (a)  is  defined  as  -'[a]-',  and  the  logic  is  closed  under  the  rule  of  [a]-necessitat- 
ion.  The  logic  can  be  found  in  [Lem77]^^,  where  it  is  identified  as  characteristic  for 
total  (serial)  and  functional  (deterministic)  binary  relations  in  the  Kripke  semantics. 
In  a  sense,  the  [a]  operator  is  nothing  more  than  the  “next-time”  or  “next-state” 
modality  of  temporal  logics^'*,  given  a  more  abstract  semantics.  The  novelty  here  lies 

^^The  source  manuscript  of  the  “Lemmon  Notes”  [Lem77]  is  dated  1966,  and  was  a 
collaboration  of  E.  J.  Lemmon  and  Dana  Scott.  It  was  edited  for  [Lem77]  by  Krister 
Segerberg. 

^“The  first  appearance  of  the  F  axioms  seems  to  be  in  A.  N.  Prior’s  [Pri57]  as  the 
axioms  for  the  “tomorrow  it  will  be  the  case  that”  modality,  and  appear  again  in 
that  guise  in  [Seg67].  See  also  G.  H.  von  Wright’s  work  on  the  “And  Next”  modality 
[vW65]  and  Appendix  B  of  Prior’s  [Pri67]. 


in  combining  it  with  the  S4  □  and  O  modalities  to  give  symbolic  representation  to  a 
topology  as  well  as  an  arbitrary  function.  In  the  topological  semantics,  the  F  axioms 
for  [a]  are  satisfied  by  the  inverse-image  of  a  total  function,  with 

wmi-rHM) 

and  in  the  logic  F,  it  is  provable  that  [a]  commutes  with  all  Boolean  operations^®. 

The  formula  [a]ip  can  be  read  as  “action  a  always  makes  it  the  case  that 
Formulas  of  the  form: 

[a]ip 

then  read:  “whenever  0,  then  action  a  always  makes  it  the  case  that  (/?”  or  more 
succinctly,  “action  a  always  takes  xl)  states  to  (p  states”.  Such  a  formula  is  true 
(evaluates  as  the  whole  space)  in  a  topological  model  %  =  exactly  when, 

for  all  X  G 

X  G  11011^  implies  f{x)  G  \\(p\\^ 

where  ^  is  a  valuation  of  atomic  propositions  as  subsets  of  X.  More  generally, 

reads  “fc  iterations  of  action  a  always  takes  V’  states  to  cp  states”,  where  is  just 
(p  and  is  [a][a]*^93.  Formulas  of  this  form  express  the  sort  of  basic  facts  that 

should  be  found  in  the  knowledge  base  of  an  agent.  If  is  a  goal  region  generated  by 
an  agent’s  planning  automaton,  and  xp  is  a.  region  containing  the  current  state,  then 
the  internal  control  automaton  should  be  looking  for  an  action  a  such  that: 

xf)  ->  [a]0(/? 

is  provable  from  the  agent’s  knowledge  base^’^. 

In  the  bimodal  language  Coa,  the  property  of  continuity  is  expressible  by  the 
axiom  scheme: 

Cont  :  [ajn^  — >■  Cl[a]99 

^®The  [a]F  axiom  scheme  says  that  [a]  commutes  with  negation,  and  [a]K  together 
with  its  provable  converse  say  that  [a]  commutes  with  (classical)  implication. 

^®Dually,  {a)(p  would  be  read  as  “action  a  sometimes  makes  it  the  case  that  (^”. 
Axiom  [a]F  says  that,  for  primitive  or  atomic  actions,  “sometimes”  is  the  same  as 
“always” . 

^^So  a  richer  language  and  logic  in  which  to  talk  about  complex  actions  might  be 
quite  useful. 


In  the  topological  semantics,  the  scheme  translates  as: 


/  ^{int'j-{A))  C  intr{f  ’{^))  for  all  subsets  AC  X 

and  this  condition  is  satisfied  exactly  when  the  function  /  (interpreting  actio,  a)  is 
continuous  with  respect  to  the  topology  T  on  X  The  logic  obtained  from  S4F  by 
the  addition  of  the  Cent  scheme  is  given  the  name  S4C:  the  propositional  bimodal 
logic  of  one  continuous  function. 

In  examining  the  relationship  between  the  topological  and  Kripke  semantics,  I 
look  to  Grzegorczyk  [Grz67],  and  back  to  McKinsey  and  Tarski  [MT46],  with  sorlie 
assistance  from  Scott  [Sco72].  Start  by  defining  a  reflexive  and  transitive  relation  Rj- 
on  X  from  a  topology  T  on  X  by*®: 

i^iU)  £  Rt  iff  for  all  t/  6  T,  x  ^  U  implies  y  ^  U 

Thinking  of  a  topology  7”  as  a  collection  of  meaningful  regions  of  X,  (z,  y)  £  Rj-  says 
that  y  has  all  the  same  (topological)  meaning  as  x  has;  Rr  is  the  meaning  relation  of 
T.  So  X  and  y  will  have  the  same  meaning  when  both  (x,  y)  6  Rj-  and  (z,  y)  6 
To  go  the  other  way,  start  with  an  S4  Kripke  frame  {W,R),  and  define  a  topology  Tr 
on  W  by  taking  as  basic  open  sets  all  the  “upper  cones”  under  R 

B^  =  {v  \  {w,v)  €  /?} 

*«The  Cont  scheme  might  be  read  as:  “if  action  a  will  make  it  the  case  that 
discernibly  (p,  then  discernihly^  action  a  will  make  it  the  case  that  y>”.  Or  try  replacing 
“discernibly”  with  “meaningfully”. 

*®In  [Grz67],  the  relation  is  defined  by: 

-  (a:,y)G/2r  iff  x  e  clr{{y}) 

which  is  provably  equivalent  to  the  given  definition,  taken  from  [Sco72]. 

^"Identifying  all  such  points  z  and  y  gives  the  Stone  To  quotient  of  (X,T),  with 
the  quotient  map  the  AD  converter  map  discussed  above. 

^*The  topology  Tr  is  known  as  the  “Alexandroff  topology”  ([Joh82],  [Smy92])  when 
i?  IS  a  partial  order,  and  also  goes  by  the  name  “cone  topology”  [Mi95].  In  [Grz67], 
the  equivalent  topology  T  on  W  defined  from  R  by: 

cIt{A)  =  {w;  G  VK  I  (Bu  e  W)[  (to,  u)  G  i?  and  V  G  A  ]} 

for  all  A  C  IF,  is  attributed  to  [MT46].  This  last  equation  can  also  be  obtained  from 
Jonsson  and  Tarski’s  work  on  Boolean  algebra  with  operators  [JT51]. 


For  all  reflexive-transitive  relations  R,  the  induced  topology  7r  is  a  D-topology,  and 
if  T  is  a  D-topology  on  X  then  Tr^-  =  T;  i.e.  the  topology  induced  by  Rr  is  T  itself. 
So  D-spaces  are  the  natural  topological  duals  of  S4  Kripke  frames.  Indeed,  this  exact 
correspondence  can  be  recovered  from  Grzegorczyk’s  [Grz67]. 

The  transformations  between  topologies  and  reflexive-transitive  relations  also  re¬ 
veal  an  elegant  characterization  of  continuity  in  the  Kripke  semantics.  In  one  direc¬ 
tion,  if  T  =  (X,  T,  /)  is  a  topological  structure  for  £□„,  with  Rr  the  induced  binary 
relation  on  X,  then  the  continuity  of  /  w.r.t.  T  implies  /  is  monotone  w.r.t.  Rr- 
This  is  a  variant  on  the  theme  of  “continuity  implies  monotonicity”  in  cpo  and  do¬ 
main  theory.  What  is  quite  pleasing  is  the  other  direction:  if  )C  =  [W,  R,  F)  is  a 
Kripke  frame  for  £oa,  with  Tr  its  induced  topology  (and  a  D-topology)  on  W,  then 
the  i2-monotonicity  of  F  implies  that  F  is  continuous  w.r.t.  Tr.  So  here,  “continuity 
equals  monotonicity”. 

The  “continuous  dynamics”  in  the  title  of  this  work  ambiguously  refers  to  both 
the  dynamics  of  analog  or  “continuous”  processes,  and  the  enterprise  of  putting  a 
“continuous”  spin  on  dynamic  logic.  In  the  second  stage  of  the  project,  propositional 
dynamic  logic  PDL  ([FL79],  [Pra79],  [ParSl],  [Seg82],  [BHP82])  is  overlaid  on  S4C 
to  form  a  new  modal-based  propositional  dynamic  logic. 

Atomic  actions  a  €  S  are  interpreted  by  continuous  total  functions,  and  compound 
actions  a  are  generated  from  E  by  the  Kleene  operations  of  composition,  sum  (non- 
deterministic  choice)  and  iteration  (star)^^.  The  resulting  logic  is  given  the  name 
TPDL,  topological  propositional  dynamic  logic.  The  modalities  [o;]  and  (a)  remain 
equivalent  if  a  =  ai  •  •  •  a„  is  a  simple  composition  of  atomic  actions,  but  of  course 
they  diverge  in  the  presence  of  sum  and  iteration.  The  formula  [a\<p  can  be  read  as 
“action  a  always  makes  it  the  case  that  tp" ,  while  {a)(p  is  read  as  “action  a  sometimes 
makes  it  the  case  that  9?”. 

In  the  topological  semantics  for  TPDL,  the  modalities  {a)  and  [a]  for  compound 
actions  a  are  interpreted  by  unary  operators  cr{a)  and  7r(a:),  respectively,  on  the 
power  set  'P(X).  These  operators  are  generated  from  the  inverse-image  operators 
cr(a)  =  7r(a)  =  of  a  family  of  functions  /„  :  X  ->  X  for  atomic  actions  a  €  E, 

^^The  “test”  operation  is  omitted  at  this  stage,  pending  a  further  clarification  of  an 
appropriate  semantics.  So  what  is  overlaid  on  S4C  is  actually  the  test-free  fragment 
of  deterministic  propositional  dynamic  logic  DPDL,  further  restricted  to  atomic  ac¬ 
tions  whose  interpretations  are  both  functional  (deterministic)  and  total  relations. 
DPDL  is  studied  in  [BHP82];  its  precursor  can  be  found  in  a  programming  logic  of 
[Con77],  where  atomic  commands  are  also  interpreted  by  partial  functions.  Within 
the  “algorithmic  logic”  school  of  Salwicki  and  Mirkowska,  the  logic  of  deterministic 
total  actions  is  briefly  studied  in  [MS87],  Chp.  V,  §8. 


where  each  fa  is  continuous  w.r.t.  a  topology  T  on  X.  The  modalities  are  given  by: 

||(q:)(^||  =  (7(a)  (||v?||)  and  ||[a]v?||  =  7r(a)  (||v?||) 

where,  as  one  would  expect, 

a{af3){A)  =  (cr(a)  o  a{0))  {A) 
cr{aAl3){A)  =  (T{a){A)  \J  (t{P){A) 

<r(a*)(A)  =  U  (T{a^){A) 
fceN 

and 

7r(a)(A)  =  (-(7(a)-)(/l) 

for  A  €  T*(X).  For  an  arbitrary  topology  T  on  X,  we  have: 

cr(a)  {intr{A))  C  intq-  {<T{a){A))  for  all  subsets  AC  X 
and  when  T"  is  a  D-topology  on 

7r(a)  {intr{A))  C  intr  (7r(a)(A))  for  all  subsets  ACX 
So  the  continuity  schemes 

(a)Cont  :  {a)Dy>  — f  □(a)^  and  [ajCont  :  [a]D^  — >  □[a](^ 

are  true  in  all  topological  structures,  and  all  D-topological  structures,  respectively^^ 
Continuous  analogs  of  the  Hoare  composition  rules: 

-»•  (a)ax  X  -»  ^  X  ^ 

V’  v  ->  [o0P<p 

are  truth-preserving  in  all  topological  structures,  and  all  D-topological  structures, 
respectively.  These  later  rules  will  be  useful  for  an  internal  control  automaton  in 
looking  for  an  action  a  such  that: 

■0 

is  entailed  by  the  knowledge  base  of  an  agent,  where  0  represents  the  current  state 
and  (p  a  goal. 

The  richer  language  of  XPDL  permits  the  expression  of  other  interesting  proper¬ 
ties  of  actions.  For  example,  the  formula^^  (p  [a*]ip  is  true  in  a  structure  exactly 

^^For  a  D-topology  T ,  arbitrary  intersections  of  open  sets  are  open;  this  is  what  is 
needed  for  the  continuity  of  the  [a*]  operator. 

^^The  converse  [a*](p  tp  is  TPDL  provable. 


when  the  set  of  (p  states  is  closed  under  every  iteration  of  every  application  of  a; 
equivalently,  ||(^||  is  the  least  fixed  point  of  the  operator  7r(a).  Properties  of  this  form 
are  used  in  discussions  of  the  viability  of  hybrid  systems  [KNRY95]. 

In  addition  to  the  Hilbert-style  axiomatizations^®,  I  present  tableaux  proof  sys¬ 
tems  for  each  of  the  logics.  The  orthodox  treatment  of  tableaux,  stemming  from 
Smullyan’s  [Smu68],  labels  the  nodes  of  a  finitely-branching  tree  (or  more  generally, 
a  directed  graph)  with  sets  of  subformulas^®  of  the  formula  at  the  root  node.  Such 
tableaux  are  developed  according  to  rules  capturing  the  semantics  of  the  logic’s  con¬ 
nectives  and  operators,  and  development  stops  at  a  node  when  its  label  set  contains 
a  contradiction.  In  systems  where  tableaux  are  trees,  there  is  usually  a  simple  trans¬ 
lation  into  a  Gentzen-style  sequent  calculus:  given  a  finite  tableaux  proof  (all  paths 
end  in  contradiction),  turn  it  upside-down  and  “mcissage”  a  little  to  get  a  sequent 
calculus  derivation,  with  the  contradictions  corresponding  to  axiom  sequents.  Ortho¬ 
dox  tableaux  have  been  used  extensively  in  various  modal,  temporal  and  dynamic 
logics  (see,  for  example,  [PraSO],  [Fi83],  [BMP83],  [BS84],  [Wo85],  [ESr88])  and  have 
given  rise  to  automata-based  decision  procedures  for  a  number  of  logics  (e.g.  [Em85], 
[VW86]). 

The  tableaux  systems  presented  here  are  in  a  different  tradition.  The  system  is  an 
extension  of  the  treatment  of  modal  tableaux  in  [NS93]  and  [Ne90],  which  is  in  turn 
a  descendant  of  the  modal  prefixed  tableaux  systems  of  Fitting  [Fi72]  and  [Fi83]  Ch. 
8.  The  essential  idea,  which  traces  back  to  Fitch,  is  to  add  to  the  formal  language  of 
proofs  symbols  intended  to  name  possible  worlds  in  Kripke  models,  taking  to  heart 
the  central  idea  from  Beth  [Be59]  that  the  construction  of  a  tableaux  proof  is  an 
attempt  to  build  a  countermodel.  So  to  give  symbolic  representation  to  such  models, 
I  include  in  the  formal  language  of  proofs  not  only  symbols  for  possible  worlds,  but 
also  symbols  for  both  the  accessibility  relation  and  the  function.  A  tableaux  is  a 
labelled  binary  tree  where  the  labels  are  either  signed  forcing  assertions: 

T[t  \\-  (f]  or  F[  f  Ih  ^  ] 


or  accessibility  assertions: 

fRs 

The  f,  s  are  functional  terms  generated  from  a  stock  of  primitive  world  symbols  w,  ,  z  G 
N.  For  the  logics  S4F  and  S4C,  terms  come  from  iterates  of  a  single  unary  function 

^®For  thoroughness,  completeness  proofs  for  each  of  the  Hilbert-style  proof  systems 
are  given.  They  are  just  variants  of  the  standard  constructions  of  Kripke  models  of 
maximal-consistent  sets  (with  the  usual  extra  work  caused  by  the  *  operator). 

^®In  the  case  of  temporal  and  dynamic  logics,  subformulas  are  replaced  by  formulas 
in  the  Fischer-Ladner  closure. 


symbol  F,  and  have  the  form  F*(w,)  for  some  k  e  N,  while  for  the  dynamic  logic 
TPDL,  the  terms  are  of  the  form  (Fj„  o  •  •  •  o  Fjj  )(w,),  generated  from  compositions 
of  unary  functions  symbols  Fj,  j  €  N. 

The  tableaux  development  rules  for  signed  forcing  assertions  break  down  (analyze) 
complex  formulas  </?  and  simultaneously  build  up  (synthesize)  complex  terms  <;  these 
rules  capture  the  various  clauses  of  the  definition  of  forcing  for  Kripke  frames.  For 
accessibility  assertions,  the  development  rules  capture  the  reflexivity  and  transitivity 
of  R,  and  for  the  classes  of  S4C  or  TPDL  tableaux,  there  is  the  continuity  rule 
capturing  the  monotonicity  of  F  or  the  Fj  with  respect  to  R. 

A  tableaux  with  root  F[  Wq  Ik  ^  ]  is  a  proof  of  (p  exactly  when  every  path 
(branch)  through  the  tableaux  contains  contradictory  signed  forcing  assertions.  A 
“failed”  proof  has  a  non-contradictory  path  P  which  naturally  defines  a  term  frame 
/Cp  and  a  valuation  r/p  such  that  all  the  assertions  on  the  path  are  true  in  the  model 
(/Cp,77p).  So  if  the  root  entry  is  F[  Wq  Ik  (p  ],  then  <p  is  falsified  at  Wq  in  the  model, 
while  <p  is  satisfied  at  Wq  in  the  model  if  the  root  entry  is  T’[  Wq  Ik  (^  ]. 

The  domain  of  the  term  frame  JCp  is  generated  from  on  the  primitive  world  symbols 
w,-  appearing  in  signed  forcing  assertions  on  P  by  closing  under  F  or  the  F^;  this 
ensures  that  the  term  constructor  functions  t  i->-  F(t)  or  t  ^ji^)  ‘‘•re  total,  since 
these  interpret  the  single  action  a,  or  the  atomic  actions  S  =  {cj  |  j  G  N}  in  the 
language  of  TPDL.  The  relation  Rp  on  Wp  is  the  reflexive  and  transitive  closure 
of  the  relation  defined  by  the  accessibility  assertions  occurring  on  the  path  P;  for 
S4C  (TPDL)  tableaux,  we  also  take  the  F-functional  (Fj-functional)  closure  of  this 
relation,  so  that  {t,s)  e  Rp  implies  (F(t),F(s))  G  Rp  {{Fj{t),Fj(s))  G  Rp).  The 
tableaux  development  rules,  specially  that  for  F[  t\\-  Dcp]  assertions  which  force  the 
introduction  of  a  new  primitive  world  symbol  w,-  and  an  entry  tRw,-,  ensure  that 
the  relation  defined  by  the  accessibility  aissertions  occurring  on  a  path  P  is  always  a 
partial  order.  Hence  the  closure  Rp  is  always  a  partial  order,  and  so  the  induced  cone 
topology  on  Wp  is  a  To  D-topology. 

In  proving  completeness,  we  give  a  deterministic  algorithm  for  constructing  the 
complete  systematic  tableaux  (CST)  with  root  entry  F[  Wq  Ik  j,  that  applies  every 
tableaux  development  rule  that  can  be  applied.  The  construction  either  terminates 
with  a  contradiction  on  every  path,  thus  yielding  a  tableaux  proof,  or  else  continues 
indefinitely,  producing  an  infinite  tableaux.  A  non-contradictory  path  P  through  a 
CST  naturally  defines  a  valuation  r/p  for  the  term  frame  K.p  such  that  the  formula  ip 
is  falsified  at  Wq  in  the  model  (/Cp,  r/p). 

To  prove  the  finite  model  property  for  each  of  the  logics,  I  define  a  quotient  of  the 
term  frame  ICp  for  a  non-contradictory  path  P  through  a  CST.  The  quotient  uses  the 
set  Sp{t)  of  signed  forcing  assertions  on  P  with  subject  t,  and  identifies  terms  <,  s  G  Hp 
such  that  Sp{t)  =  S'p(s).  For  the  logics  S4F  and  S4C,  the  sets  Sp{t)  are  consistent 
subsets  of  the  set  of  signed  subformulas  of  the  formula  (p  in  the  root  entry,  while  for 


TPDL,  each  Sp{t)  is  a  consistent  subset  of  the  signed  Fischer-Ladner  closure  of  (p.  In 
either  case,  the  quotient  is  finite,  and  the  path  valuation  rjp  faithfully  passes  through 
to  the  quotient.  The  sets  of  formulas  Sp{t)  are  essentially  signed  Hintikka  sets,  as 
used  in  the  orthodox  treatment  of  tableaux  for  modal  logics;  see,  for  example,  [BS84], 
[BMP83]. 

In  summary,  each  of  the  logics  S4F,  S4C  and  TPDL  are  complete  for  the  class 
of  their  appropriate  topological  structures  based  on  countable  state  spaces  with  To 
D-topologies;  they  are  also  complete  for  the  class  of  their  appropriate  topological 
structures  based  on  finite  state  spaces  (whose  topologies  are  necessarily  D-topologies). 
However,  they  cannot  be  complete  for  the  intersection  of  the  corresponding  pair  of 
classes  since  from  [Kri63],  §5.1,  S4  is  not  complete  for  the  class  of  finite  spaces  with 
To  topologies,  or  equivalently,  finite  partially-ordered  Kripke  frames. 

Just  as  this  document  was  being  completed,  I  obtained  three  short  abstracts  of 
work  on  “Dynamic  Topological  Logics”  by  Kremer,  Mints  and  Rybakov  [KrMi97], 
[Kre97],  [KrMiR97].  They  have  independently  developed  S4-based  dynamic  logics, 
called  DTL’s.  Their  logics  include  a  “next”  operator  corresponding  to  the  [a]  modal¬ 
ity,  for  a  single  atomic  action  a,  and  a  “star”  operator  corresponding  to  [a*]  for 
atomic  a.  The  abstracts  announce  axiomatizations  of  various  fragments;  for  example, 
the  star-free  fragment  of  the  logic  DTL^^  of  homeomorphic  functions. 


1.5  Formal  Methods  in  Hybrid  Systems 

Much  of  the  work  in  formal  methods  for  hybrid  systems  focuses  on  various  cla.sses  of 
automata.  One  of  the  foundational  papers  is  [ACHH93],  which  introduces  the  class 
of  hybrid  automata.  These  are  discrete  transition  systems  on  a  finite  set  of  control 
locations,  with  the  behavior  of  real-valued  variables  in  each  location  governed  by 
differential  equations  and  subject  to  an  invariant  condition.  (See  also  [ACH-f-95], 
[He96].)  Hybrid  automata  generalize  a  class  of  timed  automata  ([AD90],  [AD94])  in 
which  clock  variables  take  real  values.  Real-time  temporal  logics  have  also  been  pro¬ 
posed  as  specification  languages  for  hybrid  systems,  such  as  TCTL  which  extends  the 
branching  time  temporal  logic  CTL  by  the  addition  of  “clocks”,  with  the  semantics 
of  the  logic  given  by  timed  automata  ([ACD93],  [HeK97]). 

This  work  proceeds  on  a  somewhat  different  line  of  inquiry,  since  it  takes  as  its 
starting  point  the  idea  that  in  a  logic  for  hybrid  systems,  topology  is  an  essential 
ingredient.  Some  common  ground  can  be  found  in  recent  work  by  Henzinger  and  his 
coworkers  [GHeJ97]  on  robust  timed  automata.  That  paper  starts  from  the  idea  that 
an  automaton  model  which  represents  an  event  occurring  at  an  exact  real  time  t  €  R'*’ 
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IS  not  physically  realizable;  in  any  physical  realization,  the  most  that  can  be  guaran¬ 
teed  is  that  the  event  occurs  in  an  interval  (<-€,<  +  e).  The  acceptance  and  rejection 
conditions  of  timed  automata  are  modified  so  that  if  a  robust  timed  automaton  ac¬ 
cepts  a  trajectory,  it  must  also  accept  every  trajectory  in  an  e-neighborhood  of  that 
trajectory,  and  likewise  for  rejection.  The  underlying  topology  is  a  metric  topology 
on  the  set  of  finite  words  (E  x  R+)*  (trajectories),  where  E  is  a  finite  alphabet 


1.6  Boundaries  of  this  Investigation 


Although  drawing  its  motivation  from  hybrid  control  systems,  and  their  “continuous 
dynamics  ,  this  work  is  primarily  a  formal  study  in  modal  logic.  There  are  many 
points  of  interest  not  addressed;  I  envisage  it  as  the  beginning  of  a  larger  research 
project.  In  telegraphic  form,  topics  of  further  investigation  include  the  following: 

•  A  decent  concrete  example,  to  illustrate  how  the  logics  can  be  practically  used 
for  hybrid  control  systems; 


•  Getting  more  value  out  of  the  tableaux  proof  system,  including  working  out  an 
explicit  tableaux-based  decision  procedure  which  yields  finite  term  models; 

•  Extensions:  Look  for  decidable  fragments  of  first  order  extensions,  as  well  as 
propositional  extensions  such  as  poly-S4  based  logics  of  multiple  topologies,  say 

□in  and  in  which  case  the  continuity  of  /»  :  {X,  Tin  {X,  Tout)  is  captured 
by  the  scheme: 

or  enriching  the  inodalities  of  TPDL  to  represent  the  actions  of  multiple  control 
agents,  necessitating  a  treatment  of  concurrency^ 


•  Dealing  with  time  as  a  distinguished  coordinate,  since  there  are  good  reasons  for 
wanting  purely  temporal  modalities,  drawing  on  the  abstract  treatment  of  time 
domains  of  Nicollin  and  Sifakis  in  [NiSi92]  and  [NiSiY92]; 


Topological  completeness:  look  for  “real”  topological  completeness  results  like 
those  of  [MT44]  and  [RS63]  for  S4  for  dense-in-themselves  metric  spaces,  start- 
ms  by  studying  the  finite  subtopologies  of  such  spaces; 


Exploring  the  algebraU  richness  of  the  TPDL  semantic  structures,  includinE 
extending  the  work  of  Pratt  (Pra79)  and  Koaen  (Koz82I  on  dynamic  algebras  to 

topological  dynamic  algebras. 


# 


Chapter  2 


The  Logic  S4F 


2.1  Syntax  and  Topological  Semantics 

Definition  2.1,1  Let  be  the  propositional  language  generated  from  a  countable 
set  AP  of  atomic  propositions,  the  propositional  connectives  ->  (negation)  and  -4 
(implication) ,  and  the  modal  operators  □  and  [a]. 

Within  the  language  £□„,  we  can  define  in  the  usual  way  the  propositional  con¬ 
stants  and  the  other  classical  propositional  connectives  in  terms  of  -■  and  — the 
diamond  operators  O  and  (a)  as  the  classical  duals  of  □  and  [a],  respectively: 

J.  =  -i(p  -4  p)  for  some  p  €  AP 
T  =  -L 
tp  f\xl)  =  -i(y)  -4 

ip\J  if  =  —tip  -4  ij) 

(/?  44  V’  —  (9?  V*)  A  (0  -4  (/?) 

Oy?  =  —ttH—np 

{a)<p  = 

Definition  2.1.2  A  topological  structure  for  the  propositional  language  is  a 
triple  %  =  {X,  T,  /)  where 

•  X  is  the  state  space; 

•  7"  C  V{X)  is  a  topology  on  X  (i.e.  0,  X  G  T,  and  T  is  closed  under  arbitrary 
unions  and  finite  intersections) ;  and 


.  f  :X  -4  X  is  a  total  function. 


Sets  U  eT  a-re  called  open  (in  T),  and  .4  C  X  is  called  closed  (in  T)  A  =  -U  for 
some  U  ^  'T .  Note  that  at  this  stage,  /  is  not  assumed  to  be  anything  other  than 
total.  Our  task,  after  all,  is  to  discern  the  meaning  of  /  being  continuous  with  respect 

to  r. 


Definition  2.1.3  A  valuation  for  a  topological  structure  T  =  {X,T,f)  is  any  map 
C  :  AP  V{X)  assigning  a  subset  {(p)  C  X  to  each  p  e  AP .  Each  such  valuation 
uniquely  extends  to  a  valuation  map  H-H^  :  Coa  ^(^),  satisfying  the  following 
clauses: 


=  Up) 

=  -  llv’ll^  U  ||t/>||^ 

(llv’ll^) 

||[a](^||^  =  /■*  (ikll^) 

where  intr  is  the  interior  operator  determined  by  the  topology  T,  i.e.  for  all  AC  X, 


intr{A)  =  U{U  cr\U  CA) 

and  f~^  is  the  inverse-image  operator  determined  by  the  total  function  f: 

f-^A)  =  {xeX\f{x)^A} 

Continuing  the  metaphor  of  a  basis  for  a  topology  as  a  collections  of  lenses,  one 
can  think  of  the  interior  intq-i^A')  as  that  part  of  the  set  A  which  can  be  discerned 
through  the  lenses  of  T.  If  Br  =  {B,-  |  i  e  /}  is  a  basis  for  T,  then: 


intr  (A)  =  U{^.-  e  Br  \  Bi  C  A} 

So  Hip  may  be  read  as  “discernibly  9?”.  Thinking  of  a  topology  T  as  a  collection  of 
meaningful  regions  of  X,  Op  may  be  read  as  “meaningfully  p”. 

Definition  2.1.4  A  topological  model  for  Caa  is  a  pair  (X,  where  X  =  [X^'T,  f'j 
is  a  topological  structure  for  £□„  and  ^  ;  AP  -)•  V{X)  is  a  valuation  for  X. 


Definition  2.1.5  Let  (p  G  Coa  be  a  propositional  formula. 

•  (p  is  satisfied  at  a  state  x  e  X  in  a  topological  model  (X,^)  iff  x  e  ||^||^. 

•  p  is  true  in  a  topological  model  (X,^,  written  (X,^  f=  p,  iff\\p\\^  =  X; 


23 


•  ip  is  valid  in  a  topological  structure  X,  written  ^  ^  p,  iff  for  all  valuations  ^ 
for%,  we  have  ||(^||^  =  X; 

•  (f  is  topologically  valid  X  f=  for  every  topological  structure  X  =  {X,  T,  /) 
for  Caa- 


The  topological  semantics  for  the  defined  constants,  connectives  and  modal  oper¬ 
ators  are  as  one  would  expect. 

I|X||(  =  0 
imif  =  x 

IIV’AV’li;  =  ||»>||j  n  IIV’II; 
i|v>vvj|(  =  u  j|v>|jj 
||Ov>||(  =  c/t(mQ 
Il(»)v>ll4  =  (ll<f>ll<) 

where  c/7-  is  the  closure  operator  determined  by  the  topology  T,  i.e.  for  any  AC  X, 


dr  {A)  =  {—intq — )(A) 

=  1\{C\-C  er^.nAACC) 

Observe  that  for  any  topological  structure  X  =  (X,  T,  /)  and  valuation  ^  for  X, 

\\ip  =  X  iff  1|(^||^  C  11011^ 

More  generally, 

\W  V’ll^  =  {x^X  \  if  X  G  ||v?||^  then  x  G  ||V’||^  } 

The  proposed  reading  of  formulas  of  the  form: 

0  -)•  [a]p 

as  “action  a  always  takes  rp  states  to  (p  states”  is  based  on  the  fact  that  in  any 
topological  model  (X,^), 

(X,0  h  V*  Wv’  iff  for  all  X  G  A",  if  X  G  ||V’||^  then  /(x)  G  ||v’||^  • 

Note  also  that  if  /  is  a  finite  set  and  i  G  /,  are  atomic  propositions,  the  formulas: 

/\  (9.  <r¥  Dqi)  and  \/  qi 
i€l  iel 


are  true  in  a  model  (T,  exactly  when  is  a  finite  open  cover  of  the  topo¬ 

logical  space  (X,  T). 

Note  that  there  are  no  restrictions  on  valuations  (  :  AP  — >  V{X)]  i.e.  each  ^(p) 
is  an  arbitrary  subset  of  X. 

Definition  2.1.6  Given  a  topological  space  {X,T),  let 

^t{X)  =  {V{X),  U,  n,  X,  0,  intr) 

denote  the  topological  Boolean  algebra  [RS63]  with  universe  P(X)  determined  by 
i.e.  the  complete  Boolean  algebra  of  all  subsets  ofX,  equipped  with  the  interior 
operator  intr  •  'Pi^)  ->  T  C  ViX),  which  satisfies: 

(i)  intr{A)  C  A 

(ii)  intr  {intr{A))  =  intr{A) 

(iii)  intr{A  r\  B)  =  intr{A)  fl  intr(B) 

(iv)  intr{X)  =  X 

In  McKinsey  and  Tarski  [MT44],  topological  Boolean  algebras  go  by  the  name 
of  closure  algebras,  and  in  the  survey  of  Bull  and  Segerberg  [BS84],  and  elsewhere, 
the  term  modal  algebra  is  used  for  a  broad  class  of  algebras  consisting  of  Boolean 
algebras  equipped  with  unary  operators  satisfying  various  modal  logic  conditions. 
Moreover,  from  [MT44]  and  [RS63]  IIL4.3,  every  topological  Boolean  algebra  A  = 
(A,V,  A,-,1,0,I)  is  isomorphic  with  an  algebra  ^r{X)  for  some  topological  space 
(X,  T). 

So  algebraically,  the  topological  models  {X,T',  f,^)  correspond  to  evaluating  for¬ 
mulas  of  C-Oa  in  the  topological  Boolean  algebra  VBri.X'),  together  with  the  inverse- 
iniage  operator  /  ^  :  P(^X)  — >•  Pl^X)  of  the  total  function  /  on  X.  As  an  operator  on 
V{X),  has  particularly  strong  properties: 

f-\-A)  =  -f-^{A) 
f-\AUB)  =  f-\A)Uf-\B) 
r^AnB)  =  /-i(A)n/-‘(S) 

/-*(0)  =  0 

f-Hx)  = 

for  all  A,B€  V{X)]  i.e.  /“*  preserves  complements,  unions,  intersections,  and  the 
bottom  (0)  and  top  (A^)  elements.  (The  totality  of  /  is  required  for  the  last  equation 
since  /  =  dom(f).)  Moreover,  preserves  arbitrary  unions  and  intersections: 
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# 


# 


for  any  family  of  sets  C  V{X).  Since  /“'  preserves  complements,  it  follows 

that 

||(a)(y?||^  =  /■*  (llV’iy  =  IINV^II^ 

in  all  topological  models  (X,^.  When  the  apparatus  of  propositional  dynamic  logic 
PDL  is  adjoined  in  Chapter  5,  we  will  have  more  to  say  about  unary  operators  on 
the  topological  Boolean  algebra  *87-(X). 

Recall  that  the  standard  Gddel  embedding  of  Intuitionistic  propositional  logic 
Int  into  S4  proceeds  by  “Boxing”  all  atomic  propositions,  i.e.  Dp,  and  defining 
Intuitionistic  negation  ~  and  Intuitionistic  implication  by: 

~  (p  =  Q^— 

^  t/>  —  ^ 

So  in  an  Intuitionistic  topological  semantics  for  the  language  Coa-,  we  would  require 
a  restriction  to  a  subclass  of  valuations  ^  :  AP  -)•  V{X)  such  that  ^(p)  G  T  for 
all  p  6  AP,  interpret  negation  as  the  interior  of  the  complement,  and  interpret 
implication  as  the  interior  of  classical  implication.  Interpreting  □  by  the  interior 
operator  would  be  vacuous,  since  all  sets  under  consideration  would  already  be  open. 
To  ensure  that  f~^{U)  is  open  whenever  U  is  open,  we  would  need  to  insist  that 
the  function  /  be  continuous.  The  advantage  of  taking  S4  rather  than  Int  as  our 
base  logic  is  that  in  adding  the  [a]  modality,  we  can  express  in  the  language  both  the 
openness  of  sets  and  the  continuity  of  a  function. 


2.2  Hilbert-style  Proof  System 

Definition  2.2.1  The  Hilbert-style  proof  system  for  the  logic  S4F  has  the  following 
axiom  schemes,  in  the  language  Caa- 

CP  :  axioms  of  classical  propositional  logic  in  Caa 

□K  :  □(V’  ^  V’) 

□T  :  Dcp  — >• 

□4  :  Dip  DDip 

[a]K  :  [aj((p  if)  ([a](p  [a]V’) 

[ajP  :  [ajcp  {a)(p 


# 
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where  {a)ip  abbreviates  -'[a\->ip,  together  with  the  inference  rules: 

modus  ponens: 

□  -necessitation: 

[a]-necessitation: 


€iip 

V? 


[a]ip 


IVe  write 

S4F  hff  (p 

or  say  ip  is  S4F//  provable,  if  the  formula  (p  €  jCoa  has  an  S4F  Hilbert-style  deriva¬ 
tion. 


# 


# 


The  axiom  schemes  DK,  DT  and  04,  together  with  CP,  and  the  rules  of  modus 
ponens  and  D-necessitation,  constitute  the  standard  Hilbert-style  proof  system  for 
propositional  S4.  The  [a]F  axiom  is  of  course  equivalent  to  the  conjunction  of  the 
schemes 

[a]D  :  [a\(p  — f  {a)ip 

and 

[a]Dc  :  {a)ip  [a](p 

The  first  is  the  well-known  deontic  scheme  (“ought  implies  can”),  while  the  second 
goes  by  the  name  of  determinism  in  the  dynamic  logic  literature.  In  virtue  of  the  ax¬ 
iom  [o]K  and  the  rule  of  [a]-necessitation,  [a]  is  a  normal  modal  (necessity)  operator. 

The  following  are  S4F//  provable,  for  any  formulas  ip,ip  €.  Coa  and  A:  €  N,  where 
if  >  0,  denotes  the  formula  [a][a]...[a]^,  with  k  iterations  of  the  [a]  operator 

and  if  =  0,  then  is  just  <p. 


: 

W* 

[a]*A  : 
[a]''V  : 
[«]'T  ; 
[a]*±  : 
[a]*^D  : 
[a]*C>  : 


->[a]V  ^ 

[a]^((^  -)■  ^)  ([a]V  [a]  V) 

[aY{(p  Alp)  ■H-  ([a]  V  A  [a]^^) 
[af{ip  V  V')  (W V  V  [af  ip) 
[afT 

[a]*l  -H-  1 
[afn^p  [a]V 
[aY^p  -f 
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□  □  : 

□A  :  CIl(v^  Axp)  ^  A  □i/’) 

□V:  (Dc^  V  ai/)) ->•  □(v?  V  V') 

□  T  :  DT 

OT  :  (p  -4  Oc/J 

OO  ;  OOtp  <->■  0(^ 

OA  :  0(vp  Atp)  [Oif  A  Oip) 

OV  :  0{(p  V  V*)  <4  (0</3  V  OV») 

01  :  0±  <4  ± 

The  following  are  admissible  inference  rules  in  S4F//,  for  any  formulas  V’,V’,X  ^ 
Coa  and  fc,  /  €  N: 


[o]*'-necessi<afion; 
Monotonicity  of[a]^: 
Hoare  composition: 


H> 

HV 


ip  xj) 


[a]'‘p  -f  [a]*=V’ 

(p  -»•  [a]^x,  X  -4-  [alV 
p  — >■  [a]*^+V 


Observe  that  there  are  no  axioms  for  S4F  containing  both  □  and  [a],  so  the 
behaviors  of  the  two  modalities  are  quite  independent  and  the  logic  can  be  thought 
of  as  a  “direct  product”  of  S4  and  F.  When  we  adjoin  a  true  bimodal  axiom  such  as 

Cont  :  [ajOv?  -4  ^[a\p 

the  result  is  a  richer  “amalgamated  product”  of  S4  and  F. 


Proposition  2.2.2  Topological  Soundness  of  S4F  Hilbert-style  proof  system 
For  all  formulas  p  of  Coa,  if  S4F  p  then  p  is  topologically  valid. 

Proof.  The  topological  validity  of  the  S4  axioms  for  □  plus  the  validity-preservation 
of  modus  ponens  D-necessitation  follow  trivially  from  the  properties  of  the  interior 
operator;  see  [McK41],  [MT44].  The  semantical  validity  of  the  [a]-necessitation  rule 
translates  as 

ll^ll^  =  X  implies  /"^  (Hv’ll  J  ^ 

and  the  equation  /"'(X)  =  X  holds  exactly  when  /:  X  -4  X  is  a  total  function.  The 
validity  of  the  F  axioms  for  [a]  are  immediate  from  the  properties  of  the  inverse-image 
operator.  ■ 
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2.3  Kripke  Semantics 

Although  Tarski  and  McKinsey’s  topological  and  algebraic  semantics  for  S4  pre¬ 
date  Kripke’s  relational  semantics^  the  interpretation  of  modal  operators  via  binary 
“accessibility”  relations  is  now  the  standard  approach.  We  now  define  Kripke  models 
for  the  language  £□„,  and  in  the  following  section,  we  investigate  transformations 
between  the  two  types  of  models. 

Definition  2.3.1  A  Kripke  frame  for  Coa  is  a  triple  1C  =  (VF,  R,  F),  where 

•  VF  0  is  a  set  of  “worlds”; 

•  RQW  X  VF  is  a  reflexive  and  transitive  binary  relation  on  VFy  and 

•  F  ‘.W  W  is  a  total  function  on  IV. 

A  Kripke  frame  1C  =  {W,  R,  F)  is  called  finite  iff  W  is  a  finite  set. 

By  standard  arguments,  reflexive  and  transitive  binary  relations  capture  precisely 
the  S4  □  modality.  As  in  [Lem77],  §4,  pp.60-61,  a  total  function  F  :  W  ^  W  is 
used  to  interpret  the  [a]  modality.  If  one  prefers  to  interpret  modalities  with  a  binary 
relation  on  VF,  take  Q  =  graph(F).  Then  as  a  binary  relation,  Q  is  both  “total”  and 
“functional”,  i.e.  for  all  w  e  W,  there  exists  a  unique  v  E  W  such  that  (lo,  u)  €  Q. 
The  “totality”  or  “serial”  condition:  every  w  e  W  has  at  least  one  Q-successor,  is 
characteristic  for  the  deontic  scheme: 

[a]D  :  [a\ip  -4  {a)ip 

The  converse  scheme: 

[a]Dc  :  {a)ip  -4  [a\(p 

is  characterized  by  the  “functionality”  or  “determinism”  condition:  every  w  €W  has 
at  most  one  Q-successor. 
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^Relational  semantics  for  S4  can  also  be  extracted  as  a  special  case  from  Theorem’s  ® 

3.3  and  3.5  of  Jonsson  and  Tarski’s  work  on  Boolean  algebras  with  operators  [JT51], 
although  as  noted  in  [Kri63],  Kripke’s  semantics  were  developed  independently  of 
these  results. 


Definition  2.3.2  A  valuation  for  a  Kripke  frame  JC  =  (W,  R,  F)  is  a  map  rj  :  W 
V{AP)  assigning  a  set  of  atomic  propositions  t){w)  C  AP  to  each  world  w  G  W . 
Each  such  valuation  for  1C  determines  a  forcing  relation  =  ll-„  C  W  x  AP  defined 
by 

wl^^p  iff  p^  11(10) 


which  uniquely  extends  a  forcing  relation  C  W  x  Coa  (with  the  same  name)  on  all 
formulas  of  Coa>  by  the  following  clauses: 


(i) 

w 

^p  iff  1 

w  ih,  p; 

(ii) 

w 

p  zj} 

iff  t«ih. 

p  or  w  Ih, 

V’/ 

(iii) 

w 

IN 

Up  iff 

for  all  V 

G  W,  if  (w. 

u)  G  then  v  Ih,  p; 

(iv) 

w 

Ih, 

[a]p  iff 

F(w)  Ih, 

1 

for  all  w  6  W ,  and  all  p,zl) 

€  Coa- 

to 


UQ  =  graph(F),  then  by  the  total  functionality  of  Q,  this  last  clause  is  equivalent 
w  Ih^  [a]ip  iff  for  all  v  €  W,  if  (w,  v)  €  Q  then  v  Ih^  cp. 


Definition  2.3.3  A  Kripke  model  for  Coa  is  a  pair  (K.,  rj),  where  fC  =  (W,  R,  F)  is 
a  frame  for  Coa  O'l^d  y  :W  —¥  V(AP)  is  a  valuation  for  JC. 

Definition  2.3.4  Let  ip  be  a  propositional  formula  of  Coa- 

•  (p  is  satisfied  (or  forced^  at  a  world  w  £  W  in  a  Kripke  model  (/C,  77)  iff  w  Ih^  cp; 

•  (p  is  true  in  a  Kripke  model  (JC,  rj),  written  (JC,  rj)  Ih  p,  iff  for  all  worlds  w  G  W, 
we  have  w  Ih^  p; 

•  p  is  valid  in  a  frame  JC,  written  JC  Ih  p,  iff  for  all  valuations  rj  '.W  V(AP) 
for  JC,  we  have  (JC,r))  Ih  p; 

0  (p  zs  ICripke  valid  i^f  for  all  frames  JC  for  JCWp. 


Proposition  2.3.5  Kripke  Soundness  of  S4F  Hilbert-style  proof  system 
For  all  formulas  p  of  Caa,  f/S4F  1-//  p  then  p  is  Kripke  valid. 
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Proof.  The  required  verification  is  that  each  of  the  axioms  of  S4Fh  are  Kripke  valid, 
and  that  the  inference  rules  of  S4F//  preserve  Kripke  validity.  For  the  axioms  CP 
of  classical  propositional  logic  and  for  modus  ponens,  this  is  trivial.  The  verification 
for  the  S4  axioms  K,  T  and  4,  and  the  n-necessitation  rule  follow  the  standard 
proof  of  soundness  of  the  class  of  transitive  and  reflexive  frames  for  S4;  see,  for 
example,  [HC96],  pp. 56-57.  For  the  [a]-necessitation  rule,  suppose  ip  is  Kripke  valid, 
let  K  =  {W,R,F)  be  a  frame  for  £oa,  and  let  77  be  a  valuation  for  K..  Since  p  is 
Kripke  valid  and  F{w)  €  W  since  F  is  total,  we  have  F{w)  ll-„  p.  Hence  w  l|-„  p. 
Hence  [a\p  is  also  Kripke  valid.  The  verification  of  the  validity  of  the  [a]K  and  [a]F 
axioms  is  also  straightforward,  taking  as  a  starting  point  the  fact  that  for  any  formula 
p  and  any  w  £  W ,  either  F{w)  Ih,,  9?  or  F{w)  IF,,  yj,  and  then  crunching  through  the 
definitions  of  forcing  for  -i,  -4  and  [a].  ■ 

The  Hilbert-style  proof  system  for  S4F  is  “obviously”  complete  with  respect  to 
the  Kripke  semantics.  For  the  purposes  of  the  “completeness”  of  this  investigation, 
we  give  the  standard  but  “cheap”  maximal-consistent  sets  proof,  using  as  a  template 
the  generic  treatment  of  modal  logics  in  [Gol92],  Part  One,  §3.  Building  a  Kripke 
model  out  of  maximal-consistent  sets  of  formulas  doesn’t  take  much  work,  but  then 
the  resulting  structure  doesn’t  have  much  in  the  way  of  intuitive  content.  Our  real 
interest  is  in  the  tableaux  proof  system  developed  in  Chapter  4,  where  the  proof 
of  completeness  takes  rather  more  effort,  but  the  reward  is  a  more  intuitive  and 
conceptually  transparent  Kripke  model  constructed  out  of  functional  terms  appearing 
on  a  path  through  the  tableaux. 

Definition  2.3.6  Let  C  be  a  propositional  language  generated  from  a  countable  set 
of  atomic  propositions.  A  set  of  formulas  A  C  C  is  called  a  logic  (in  C)  iff  every 
tautology  in  C  is  in  A,  and  A  is  closed  under  modus  ponens.  A  formula  p  ^  C  is  a 
theorem  of  A,  written  Ha  'P,  exactly  when  p  ^  A. 

Let  U  be  any  set  of  formulas  of  C. 

A  formula  p  e  C  is  A-deducible  from  U,  written  U  Ha  p,  iff  there  is  a  finite 
number  of  formulas  V>i, ‘4’n  ^  lhat:  Ha  (0i  A  ...  A  0„)  p. 

U  is  called  A-consistent  iff  there  is  some  formula  of  C  that  is  not  A-deducible  from 
U ;  equivalently,  //  Ha  -h- 

U  is  called  maximal  A-consistent  iffU  is  A-consistent  and  for  all  formulas  p  &  C, 
either  p  £  U  or  -‘p  £  U . 

A  formula  p  £  C  is  called  A-consistent  iff  the  set  {p}  is  A-consistent;  equivalently, 
Fa  -^p. 

We  let  S4F  (and  likewise  for  subsequent  extensions)  denote  the  set  of  all  formulas 
p  €  ^oa  such  that  S4F  h//  p.  In  particular,  every  maximal  S4F-consistent  set 
U  C  Coa  contains  all  instances  of  the  axiom  schema  of  S4F. 
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By  Lindenbaum’s  Lemma,  every  A-consistent  set  of  formulas  can  be  extended  to 
a  maximal  A-consistent  set.  It  follows  that 

A=n<t/  C  £  I  [/  is  maximal  A-consistent  }. 


Proposition  2.3.7  Kripke  Completeness  of  S4F  Hilbert-style  proof  system 
There  exists  a  Kripke  model  (/Co)?7o)  that  for  all  formulas  (p  of  Coa, 

{ICo,  rio)  lb  (fi  iff  S4F  \-h  <p 

Proof.  The  canonical  Kripke  frame  Kq  =  (Ho,  Roi  Fo)  is  defined  as  follows: 

kFo  =  {U  C  Coa  I  U  is  maximal  S4F-consistent} 

(f/,  V)  G  Rq  iff  (Vy?  G  C,aa)\  G  1/  ^  G  K  ] 

Fo(t/)  =  1/  iff  (Vyj  G  £oa)[  [a]ip  G  (/  G  K  ] 

and  the  canonical  valuation  %  :  Ho  V{AP)  for  ICq  is  defined  by: 

P  €  Voi^)  iff  P^U 

for  all  p  G  AP  and  U  G  Hq.  By  standard  arguments,  the  DT  axiom  ensures  that  Rq 
is  reflexive,  and  the  04  axiom  ensures  that  Rq  is  transitive.  To  establish  that  Fq  is 
well-defined,  it  suffices  to  show  for  maximal  S4F-consistent  sets  U,  V, 

if  (V<^  G  £ao)[  [a](p  e  U  =>  p  ^V\ 
then  (V(^  €  ^□a)[  [a]v?  9?  ^  V  ] 

in  which  case  Fo  satisfies: 


Fo{U)  =  {^eCna  I  WeU} 

and  is  thus  a  well-defined  total  function;  equivalently,  Fq{U)  is  maximal  S4F-consis- 
tent  whenever  U  is.  Assume  the  antecedent  holds  and  [a\ip  ^  U.  Hence  -'{a\ip  G  U. 
Since  S4F  h//  ^  from  the  [a]F  axiom,  we  must  have  [a]-'ip  G  U,  hence 

by  assumption,  -ly?  G  V.  Hence  (p  ^V. 

An  easy  induction  on  formulas  establishes  the  “Truth  Lemma”:  for  all  p  G  £□» 
and  sets  U  G  Ho, 

U  ll-„^  p  iff  9?  G  f/ 

Then  since 

S4F  \-H  9?  iff  9?  G  Q  ^oa  \  U  is  maximal  S4F-consistent  } 

we  have 

(^0,  'no)  Ih  p  iff  S4F  h//  p 

as  required.  ■ 


2.4  Duality  of  Topological  and  Kripke  Semantics 


In  this  section,  we  investigate  the  transformation  of  a  topological  structure  into  a 
Kripke  frame,  and  conversely.  In  the  process,  we  rediscover  a  correspondence  that 
can  be  derived  from  Grzegorczyk’s  [Grz67]:  the  subclass  of  topological  structures  with 
D-topologies  are  the  natural  duals  of  Kripke  frames  for  Coa,  moreover,  the  duality 
transformation  gives  a  semantically  faithful  bijection  between  Kripke  models  and  D- 
topological  models.  This  duality  transformation  will  establish  the  correspondence: 


Kripke  frame  K  =  (VK,  i2,  F) 

worlds 

accessibility  or  “meaning”  relation 

function 

forcing 


topological  structure  T  =  (X,  T, /) 

points  in  state  space 

topology 

function 

membership 


We  begin  the  construction  of  a  reflexive  and  transitive  relation  on  X  from  a 
topology  T  on  X,  in  the  form  presented  in  Scott’s  [Sco72]. 

Definition  2.4.1  Let  T  =  be  a  topological  structure  for  Coa-  Define  a 

binary  relation  Rj-  C  X  x  X  by: 

{x,y)eRT  iff  {VUeTfixeU  ye  U] 

It  is  immediate  that  Rj-  is  reflexive  and  transitive,  and  since  f  :  X  X  is  total, 
K.%  =  (X,  Rj-,  /)  is  a  Kripke  frame  for  .  The  frame  K%  is  called  the  Kripke  frame 
induced  by  %,  and  Rj-  is  called  the  relation  induced  by  the  topology  T. 

Thinking  of  a  topology  T  as  &  collection  of  meaningful  regions  of  X,  (x,  y)  e  Rr 
says  that  y  has  all  the  same  (topological)  meaning  as  x  has;  Rj-  is  the  meaning  relation 
of  T.  In  the  category-theoretic  language  of  frames  and  locales,  Rj-  is  known  as  the 
specialization  pre-order  ([Joh82],  §11.1.8,  [Smy92],  §4.1,  and  [Vi89],  §7.1). 

In  [Grz67]  (Lemma  1),  a  relation  RIj-  is  defined  by: 

{x,y)eR^  iff  X  €  c/r({y}) 

Observe  that  if  (x,y)  ^  R!j-  then  x  £  — c/r({j/})  =  {y})>  so  U  —  intr{—{y}) 

is  an  open  set  containing  x  and  not  y,  hence  (x,  y)  ^  Rr.  Conversely,  if  (x,y)  ^  Rr, 
then  there  exists  an  open  set  U  ^  T  such  that  x  E  U  and  y  ^  U.  Hence  A  =  —U 
is  a  closed  set  such  that  x  ^  A  and  y  E  A.  Since  clr{{y})  is  the  intersection  of  all 
closed  sets  containing  y,  we  must  have  x  ^  c/7-({y}),  and  so  (x,y)  ^  R'r-  Hence  the 
Grzegorczyk  and  Scott  definitions  are  equivalent. 


Recall  the  following  definitions  of  separation  properties  for  topological  spaces. 


Definition  2.4.2  Let  (X,  T)  be  a  topological  space. 

(X,  T)  is  To  iff  for  all  x,y  G  X  with  x  ^  y,  there  exists  U  ^  T  such  that  either 
X  €  f/  and  y  ^  U ,  or  y  E  U  and  x  ^  U . 

(X,  T)  is  T\  iff  for  all  x,y  G  X  with  x  ^  y,  there  exists  U  E  T  such  that  x  E  U 
and  y  ^  U. 

(X,  T)  is  HausdorfF  or  T2  iff  for  all  x,t/  G  X  with  x  ^  y,  there  exist  disjoint  open 
sets  U,V  such  that  x  G  f/  and  y  G  V". 

Clearly,  HausdorfF  =4^  Ti  Tq.  In  most  texts  in  topology  or  analysis  or  their 
applications,  the  HausdorfF  property  is  taken  as  a  bare  minimum  From  Chapter  2 
onwards;  For  example,  all  metric  spaces  are  HausdorfF.  Another  way  of  viewing  these 
properties  is  to  see  that  in  a  topological  space  (X,  T)  satisfying  any  separation  prop¬ 
erty  stronger  than  To,  “meaning”  or  “information”  is  concentrated  at  single  points. 

Proposition  2.4.3  Let  (X,  T)  be  a  topological  space,  and  let  Rj-  be  the  relation  in¬ 
duced  by  T. 

(i)  (X,  T)  is  Ti  iff  Rj-  is  the  identity  relation  on  X; 

(ii)  {X,T)  is  To  iff  Rt  is  a  partial  order  on  X. 

Proof.  The  equivalence  (i)  is  immediate,  since  (X,  T)  is  Ti  iff  for  all  x,j/  G  X 
with  X  ^  y,  (x,t/)  ^  Rt-  Equivalence  (ii)  is  also  trivial,  since  (X,  T)  is  To  iff  for 
all  x,j/  G  X  with  x  7^  y,  either  (x,y)  ^  Rj-  or  (y,x)  ^  Rr,  so  the  To  property  is 
equivalent  to  the  anti-symmetry  of  R-j-  ■ 

Note  that  if  T  is  the  discrete  topology  on  X,  then  Rj-  —  lx,  the  identity  relation 
on  X.  So  under  the  transformation  X  =  {X,T,f)  JCz  =  (X,  Rr,f),  from  an  arbi¬ 
trary  topological  structure  to  its  induced  Kripke  frame,  all  structures  with  topologies 
with  Ti  or  stronger  get  collapsed  with  structures  with  the  discrete  topology.  To  get  a 
one-one  correspondence  between  Kripke  frames  and  topological  structures,  we  clearly 
need  to  focus  on  a  smaller  class  of  topologies. 


Definition  2.4.4  A  topology  T  on  a  space  X  is  a  D-topology  iff  for  each  x  G  X, 
the  set: 

=  P|{f/  G  r  I  X  G  f/} 
is  open  in  T,  in  which  case  (X,  T)  is  called  a  D-sp&ce. 

^In  [Sco72],  Scott’s  interest  was  in  partial  orders,  so  the  Rr  relation  was  defined 
for  To  spaces. 
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Proposition  2.4.5  Ltt  [X,'T)  be  a  topological  space.  The  following  are  equivalent: 

(i)  T  is  a  D-topology  on  X; 

(ii)  the  intersection  of  any  family  of  open  sets  is  open; 

(iii)  the  union  of  any  family  of  closed  sets  is  closed; 

(iv)  for  all  ACX,  dr  (A)  =  U  c/r({y}); 

y€A 

(v)  (T,  C,U,  n,  X,  0,  U,  Q)  is  a  complete  lattice  of  sets. 

Proof,  (ii)  says  that  T  is  closed  under  arbitrary  intersections  (as  well  as  arbitrary 
unions),  so  (ii)  <=>  (v)  is  immediate,  (ii)  (iii)  comes  from  taking  complements, 
(iii)  ^  (iv)  is  immediate,  and  (iv)  (iii)  is  an  easy  exercise,  (ii)  (i)  is  trivial, 
since  is  the  intersection  of  all  open  sets  containing  x.  For  the  converse,  suppose 
T  is  a  D-topology  on  X,  and  let  ^  T  be  any  family  of  open  sets.  Suppose 

®  €  Hie/  and  let  =  f|{t^  e  T  |  x  €  f/}.  Then  since  x  €  V-  for  all  i  e  I,  vfe 
must  have  B^  C  VJ.  Since  B^  GT  and 

we  have  x  G  intr  (fl.g/  K).  Hence  f|.g^  K'  is  open,  as  required.  ■ 

In  [Grz67],  §1,  a  topological  space  {X,T)  is  said  to  be  “totally  distributive”  when 
condition  (iv)  above  is  satisfied.  The  following  proposition  summarizes  the  important 
properties  of  D-topologies. 

Proposition  2.4.6  If{X,  T)  is  a  D-space,  B^  =  flfl/  €  T  |  x  €  f/}  /or  each  xeX, 
and  Rj-  is  the  relation  induced  by  T ,  then: 

(a)  The  family  {Bx}x^x  is  a  basis  for  the  topology  T. 

(b)  For  all  x,yeX,  (x,y)  G  Rj  iff  By  <Z  B^. 

(c)  For  all  xeX,  5^  =  {y  G  X  |  (x,  y)  G  Rr} 

(d)  For  all  AQ  X , 

intriA)  =  {x  G  X  I  (Vy  G  )[  if  (x,  y)  G  Rr  then  y  e  A]} 

and 

clr{A)  =  {x  G  I  (By  G  X)[  (x,  y)  G  Rr  and  y  G  A  ]} 


# 


# 
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(e)  For  all  X  E  X  and  {K}«6/  Q  'J'l 

if  Bx  Vi,  then  Bx  C  Vi  for  some  i  £  I 
iei 

hence  Bx  is  fully  join-irreducible  m  T,  considered  as  a  complete  lattice  of  (open) 
sets.  Moreover,  ifU  is  non-empty  and  fully  join-irreducible  in  T,  then  U  =  Bx 
for  some  x  £  X. 

(f)  {X,T)  is  Hausdorff  iff  T  is  the  discrete  topology  on  X. 

(g)  (^.r)  is  Ti  iff  T  is  the  discrete  topology  on  X. 

(h)  (X, T)  is  To  iff  for  all  x,y  £  X,  Bx  =  By  implies  x  =  y. 

Proof.  For  (a),  suppose  U  £  T  and  x  £  U.  Then  Bx  Q  U  and  x  £  Bx.  Hence 
{Bx}xeX  is  a  basis  for  T.  For  (b),  observe  that  By  C  Bx  iff  every  open  set  containing 
X  also  contains  y.  (c)  follows  immediately  from  (b).  For  (d),  using  Grzegorczyk’s 
equivalent  definitions  of  Rr  and  a  D-topology,  the  closure  equation  follows  immedi¬ 
ately  from: 


clriA)  =  {x  £  X  \  {3y  £  X)[  X  £  dr({y})  and  y  €  A  ]} 

The  interior  equation  comes  by  taking  complements. 

For  (e),  fix  a;  G  X  and  {Vi}t6/  Q  7”,  and  suppose  Bx  Q  \J  Vi.  Then  since  the  5y’s 

iei 

form  a  basis  for  T,  each  Vi  is  a  union  of  By’s;  indeed,  Vi  =  |J{^v  i  By  C  VJ}.  Hence 

B.  C  U{Bv  I  By  C  Vi  for  some  i  £  I}. 

Now  since  x  £  Bx,  we  have  x  £  By  for  some  y  and  Vi  such  that  By  C  Vi.  Since  x  £  By 
iff  Bx  C  By,  it  follows  that  Bx  C  By  CVi  for  some  i  £  I. 

Recall  from  lattice  theory  that  U  £T  is  fully  join-irreducible  in  T,  considered  as 
a  complete  lattice,  if  for  all  {K  jie/  S  T, 

if  U  =  [_j  K )  then  U  =  Vi  for  some  i  £  I 
ia 

It  is  readily  shown  (see,  for  example.  Definition  XH.4.3  of  [BD74]  and  the  discussion 
following  it)  that  this  last  condition  is  equivalent  to: 

if  17  C  Vi,  then  U  C  Vi  for  some  i  £  I 

te/ 
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for  all  {K}.6/  C  T. 

For  the  converse,  suppose  U  G  T  \s  fully  join-irreducible  in  T.  Then  since  U  = 
I  a;  €  17},  we  have  U  -  for  some  x  6  f/,  by  join-irreducibility. 

For  (f),  if  (X,T)  is  Hausdorff,  then  for  any  x  G  X, 

B.  =  f|{t/  Gr\xGU}  =  {x}  =  clr{{x}) 

hence  {x}  is  open  (and  closed),  so  T  is  the  discrete  topology.  Conversely,  the  discrete 
topology  is  trivially  Hausdorff. 

For  (g),  assume  {X, T)  is  Tj.  Then  given  any  f/  €  T  with  Xj,  xj  €  f/  and  xj  ^  xj, 
there  exist  sets  Ui,U2  G  T  such  that  x,  G  Ui  for  i  =  1,2,  but  xi  ^  U2  and  X2  4  Ui. 
Take  V  =  UDUi  and  W  =  f/nf/j-  Then  U  =  VUW,  but  if  (7  =  V  then  U  =  UnUi] 
so  U  C  Ui,  hence  Xj  ^  f/,  contradicting  the  assumption  that  xi,X2  €  U.  Similarly' 
U  =  W  then  U  C  U2  hence  Xi  ^  U,  again  a  contradiction.  Hence  U  is  not  a  join 
irreducible  of  the  lattice  T.  So  no  set  17  G  T  containing  more  than  one  point  can 
be  a  join-irreducible  of  (or  fully  join-irreducible  in)  the  lattice  T.  Since  the  B^'s  are 
fully  join-irreducible  in  T,  the  only  possibility  is  =  {x}  for  each  x  €  X,  in  which 
case  the  topology  T  is  discrete.  Conversely,  the  discrete  topology  is  trivially  Ti. 

Finally,  for  (h),  we  have  from  Proposition  2.4.3  that  (X,T)  is  To  iff  Rt  is  a 
partial  order  on  X.  Then  use  part  (b).  ■ 

Now  we  need  to  go  the  other  way:  we  get  a  topology  Tr  from  a  reflexive  and 
transitive  binary  relation  R. 

Definition  2.4.7  Let  1C  =  {W,  R,  F)  be  a  Kripke  frame  for  £□„.  Define  Tr  to  be  the 
topology  on  W  which  has  as  its  basic  open  sets  the  collection  of  all  sets: 

B,jj  =  {v  gW  \  (w,  v)  G  R) 

So  B^  is  the  set  of  all  v  that  are  R-accessible  from  w.  Since  F  :  W  W  is  a  total 
function,  %fc  =  {W,  Tr,  F)  is  a  topological  structure  for  .  The  structure  %ic  is 

called  the  topological  structure  induced  by  JC,  and  Tr  is  the  topology  on  W  induced  by 


Note  that  (by  the  reflexivity  of  R),  and  v  G  B,,  implies  B„  C  (by  the 

transitivity  of  /?);  conversely.  By  C  By,  implies  v  G  By,,  since  v  G  By.  To  confirm 
that  the  collection  B  =  {By,  \  w  G  W}  is  suitable  as  a  basis  for  a  topology  (and 
not  merely  a  sub-basis),  observe  that  if  both  «  e  and  u  €  By,  then  we  have 

UGBy<CBy,r\  By. 

The  topology  Tr  is  &  generalization,  to  reflexive  and  transitive  relations,  of  what  is 
called  in  [Joh82],  §11.1.8,  the  Alexandroff  topology  7^  on  a  partially-ordered  set  {P,  <) 
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generated  by  the  “upper  cones”  with  respect  to  <  (see  also  [Smy92],  §2.4).  Tr  also 
goes  by  the  name  “cone  topology”  [Mi95].  In  Alexandroff’s  Combinatorial  Topology 
[Ale56],  I,  §6.3,  the  lower  cone  Cp  =  {q  G  P  \  q  <  p}  is  called  the  “combinatorial 
closure”  of  the  point  p  E  P.  It  is  readily  verified  that  in  the  topological  space  {W,  Tr), 
where  R  is  reflexive  and  transitive,  the  lower  cone  Cu,  satisfies: 

C,,  =  {vGW\{v,w)eR}  =  clr^{{w}) 

Note  that  in  the  Scott  topology  7^  on  a  partially-ordered  set  {P,<)  ([Sco72],  §2),  a 
set  U  C  P  is  open  iff: 

(1.)  for  all  p,q  £  P,  if  p  £  U  and  p  <q  then  q  £  U]  and 

(2.)  for  all  directed  sets  D  C  P,if  UZ)  exists  and  UD  £  U  then  D  C\U  0; 

where  UD  is  the  sup  or  least  upper  bound  of  D.  Open  sets  in  the  Alexandroff  topology 
on  (P,  <)  are  characterized  by  condition  (1.)  only,  so  the  Scott  topology  Ts  is  a  sub¬ 
topology  of  the  Alexandroff  topology  T<  on  P;  i.e.  T<  has  more  open  sets  than  Ts- 

Scott  topologies  are  only  really  appropriate  if  (P,  <)  is  a  dcpo,  in  which  case  UP 

exists  for  every  directed  set  P  C  P. 

The  next  proposition  records  the  relevant  properties  of  the  topology  Tr. 

Lemma  2.4.8  Let  K.  =  (\V,  R,  F)  be  a  Kripke  frame  for  Coa  l^t  Tr  be  the  induced 
topology.  Then: 


(a) 

For  all  w,v  £  W, 

(w,v)  £  R  iff 

{W£Tr)[w£U  v£U] 

(b) 

For  all  w  £  W, 

Bw  = 

€  Tr  1  u;  G  f/} 

(c) 

Tr  is  a  D-topology. 

(d) 

For  A  C  W, 

intrjXA)  =  {w  £W  \  (Vu  £  W)[  if  {w,v)  £  R  then  u  G  A  ]} 


clr^iA)  =  {w  £W  \  (3u  £  W)[  [w,  v)  £  R  and  v  £  A]} 


and 


Proof.  Property  (b)  follows  trivially  from  (a),  and  for  (a),  it  suffices  to  observe  that 
for  all  m  €  fP  and  U  €  Tr,  w  £  U  \f^  C  U.  Property  (c)  follows  directly  from 
(b).  For  (d),  observe  that  for  any  ACW,  the  equivalence: 

Bu,  C  A  (Vu  G  W)[  if  (w,  v)  e  R  then  v  e  A] 

is  trivial.  So  it  suffices  to  show  that  intr„{A)  =  {w  e  W  \  B^  Q  A).  So  suppose 
w  G  intrn{A).  Then  for  some  U  G  Tr,  w  e  U  and  U  C  A.  Since  the  5„’s  form  a  basis 
for  Tr,  there  is  some  veW  such  that  w  e  B^  and  By  C  U  C  A.  Then  By,  C  By  since 
w  G  By,  so  we  have  By,  C  A.  Conversely,  suppose  By,  C  A.  Then  taking  U  =  By,, 
we  have  a  U  e  Tr  such  that  w  e  U  and  U  C  A.  Hence  w  G  intrj,{A).  The  closure 
equation  comes  by  taking  complements.  I 

In  [Grz67],  Grzegorczyk  uses  an  equivalent  topology  T^onW  defined  from  R  by: 

^^Tp{A)  =  {tn  G  fP  I  (3u  G  W)[  {w,v)  G  R  and  v  E  A]} 

for  all  A  C  IP,  attributing  it  to  [MT46].  This  last  equation  can  also  be  obtained  from 
Jonsson  and  Tarski’s  work  on  Boolean  algebra  with  operators  [JT51]. 

Definition  2.4.9  Let‘X,  =  (^X,T,f)  be  a  topological  structure  for  Coa- 

•  T  is  called  an  D-topological  structure  iffT  is  a  D-topology  on  X. 

•  %  is  called  a  finite  topological  structure  iff  the  topology  T  is  finite,  i.e.  T  is  a 
finite  (complete)  lattice  of  sets. 

•  %  is  called  a  finite-space  topological  structure  iff  the  space  X  is  finite  (and 
hence  T  C  P{X)  is  finite). 

Trivially,  finite-space  topological  structures  are  finite  topological  structures,  and 
finite  topological  structures  are  D-topological  structures.  Finite-space  topological 
structures  correspond  to  finite  Kripke  frames. 

We  can  now  spell  out  the  bijective  transformation  between  Kripke  frames  and 
D-topological  structures. 

Proposition  2.4.10  [Grz67].  Duality  of  Kripke  frames  &  D-topological  structures 

(i)  Given  a  Kripke  frame  X  =  {W,  R,  F)  for  Coa,  let  %k:  =  {W,  Tr,  F)  be  its  induced 
D-topological  structure.  Then  the  Kripke  frame  X-x,.  =  (IP,  Rr^,,  F)  induced  by 
Tic  is  such  that: 
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(ii)  Given  an  D-topological  structure  T  =  (X,  T,  /)  for  Coa,  =  (X,  Rr,  f)  be 

its  induced  Kripke  frame.  Then  the  D-topological  structure  =  (X,  7r^,  /) 
induced  by  K,%  is  such  that: 

r  =  rRr 

Proof.  Part  (i)  is  an  immediate  consequence  of  Lemma  2.4.8,  part  (a).  For  (ii),  let 
3  =  {Bx  \  X  ^  X}  he  the  basis  of  Rr-cones  for  the  topology  Trj-  on  X.  Then  for 
each  X  €  X, 

Bx  =  {y^X\  (x,y)  €  Rr}  =  f|{t/  €  T  1  x  e  (/} 

by  Proposition  2.4.6,  part  (c).  Hence  by  part  (a)  of  that  same  result,  B  is  a  basis  for 
the  D-topology  T  on  X,  so  Trj-  =  T.  ■ 

Thus  the  map 

IC  =  iW,R,F)  ^  %^  =  {W,rR,F) 

from  the  class  of  Kripke  frames  for  £□„  to  the  class  of  D-topological  structures  for 
£□„,  is  a  bijection,  with  the  map 

T  =  (X,r,/)  Xx  =  (X,/2r,/) 

its  inverse.  The  restrictions  of  the  same  maps  establish  a  bijection  between  the  class 
of  finite  Kripke  frames  for  Coa  and  the  class  of  finite-space  topological  structures  for 
Coa-  The  map  also  extends  to  a  faithful  bijection  between  valuations  for  D-topological 
structures  and  valuations  for  the  corresponding  Kripke  frames. 


Definition  2.4.11  Dual  models  Given  a  Kripke  frame  1C  =  {W,R,F)  for  Coa,  l^t 
T/c  =  (H^,  Th,  F)  be  its  induced  D-topological  structure.  For  each  valuation  rj  :W 
V{AP)  for  K,  define  the  dual  of  rj  to  be  the  valuation  :  AP  -)•  V{W)  for  given 
by 

w  €  ^„(p)  iff  pe  r){w) 

for  all  w  €  W  and  p  6  AP.  The  D-topological  model  is  called  the  dual  of  the 

Kripke  model  (/C,  y). 

Similarly,  given  an  D-topological  structure  %  =  (X,T,f)  for  Coa,  let  JCz  = 
{X,Rr,f)  be  its  induced  Kripke  frame.  For  each  valuation  (  :  AP  ->  'P(X)  for 
T,  define  the  dual  of  (  to  be  the  valuation  •q^-.X  V{AP)  for  K,%  given  by 

V  e  q^{x)  iff  xe  i{p) 

for  all  X  ^  X  and  p  G  AP.  The  Kripke  model  {lC%,q^)  is  called  the  dual  of  the 
D-topological  model  (X,  ^). 


Proposition  2.4.12  Duality  of  Kripke  and  D-topological  models 

(i)  Let  {JC,7])  be  a  Kripke  model  for  Coa,  and  its  dual  D-topological  model. 

Then  for  all  worlds  w  of  K  and  all  formulas  ip  of  Coa, 

^  iff  w  Ih,  p 

Hence 

(’^k,Q\=V  iff  (K,ri)\yf 

(ii)  Let  (X,  be  an  D-topological  model  for  Coa,  and  its  dual  Kripke  model. 

Then  for  all  states  x  of  %  and  all  formulas  p  of  Coa, 

X  p  iff  x^  ||(^||^ 

Hence 

p  iff  {%,^)\=p 

Proof.  For  (i),  the  proof  of 

n}  €  llv^llj^  ^  w\\-,,p 

is  by  induction  on  formulas.  The  base  case  for  atomic  formulas  is  immediate  from  the 
definition  of  the  dual  valuation  the  induction  for  Boolean  connectives  and  [a]  is 
trivial;  and  for  □,  we  use  the  interior  operator  equation  from  Lemma  2.4.8,  part  (d). 
For  (ii),  the  proof  of 

X ii-„^  p  m  xe  ||v?||^ 

is  essentially  the  same,  using  part  (d)  of  Proposition  2.4.6  for  the  □  case  of  the 
induction.  ■ 


Corollary  2.4.13  For  all  formulas  p  of  Coa, 

%\=  p  for  all  D-topological  structures  %  for  Coa 
iff  1C\\-  p  for  all  Kripke  frames  K.  for  £□„ 

Corollary  2.4.14  For  all  formulas  p  ofCoa, 

%\=  p  for  all  To  D-topological  structures  T  for 
iff  K,\\-  p  for  all  partially  ordered  Kripke  frames  K  for  Coa 


Chapter  3 
The  Logic  S4C 


3.1  Adding  Continuity 

In  our  definition  of  a  topological  structure  T  =  {X,T,f)  for  the  language  Coa,  we 
place  no  restrictions  on  the  function  f  :  X  X,  other  than  totality.  The  language 
itself  is  rich  enough  to  express  various  properties  of  /,  notably  the  continuity  of  / 
with  respect  to  the  topology  T.  The  scheme 

Cont  :  [a]Dv? 

is  called  the  continuity  axiom,  in  virtue  of  the  following  proposition. 

Proposition  3.1.1  [Kur66]  I, §13;  [RS63]  III, §3. 

Let  X  =  {X,'T,f)  be  a  topological  structure  for  Coa-  Then  the  follotving  are 
equivalent: 

(a)  for  each  (p  ^ 

(b)  for  each  (p  G  Coai  ^  |=  ^  C][a]n9? 

(c)  the  function  f  :  X  —^.X  is  continuous  with  respect  to  the  topology  T. 

Proof.  Let  (p  be  any  formula  of  £□„,  let  f  be  any  valuation  for  X,  and  let  A  =  ||(^||^  C 
X.  Then 


||[a]a(/?  ->  □[a]v?||^  =  X  iff  /  ^{intriA))  C  intr{f  ^(A)) 

and 

||[a]D^  □[a]n(^||^  =  X  iff  f~^ {intr{A))  =  int'f{f~^ {intr{A))) 


Now  the  following  equivalence  is  immediate: 


(b)  :  f  ^{intr{A))  =  intr{f-^{intriA)))  for  all  A  C  X 
iff  (c)  :  =  intr{f~'^(U))  for  all  6  T 

i.e.  /  is  continuous  w.r.t.  the  topology  T 

since  {/  €  T  iff  f/  =  intr{U),  and  for  any  A  C  X,  v/e  have  intriA)  =  U  for  some 
€  T.  So  rewriting 

(a):  f~'^{intT{A))Cintr{f-^{A))  for  alM  C  X 

it  suffices  to  show  that  (a)  (c)  and  (b)  (a). 

Assume  (a)  holds.  Then  for  any  f/  €  T,  we  have  U  =  intr{U),  hence 

intrU-'m  £  r\U)  =  {-'(intrW))  £  mtr(f-'{U)) 

and  thus 

r\U)  =  intr{f-\U)) 

so  (a)  (c). 

Now,  for  any  A  G  X,  we  have  int'j-{A)  C  A,  hence  applying  intq-o  we  have 
intT{f~'^{intr{A)))  C  mtr(/~^(A)) 

Thus  if  (b)  holds,  we  have 

r\intT{A))  =  intT{f-\intr{A)))  C  intr{f-\A)) 
hence  (b)  =>  (a),  as  required.  ■ 

The  preceding  proposition  gives  us  an  alternative,  equivalent  version  of  the  conti¬ 
nuity  axiom,  namely: 

Cont*  :  [a]D^ 

It  is  also  readily  established  that  over  the  Hilbert  system  S4Fk,  the  schemes  Cont 
and  Cont*  are  provably  equivalent^. 

^The  Cont*  scheme  is  appealed  to  in  devising  a  sequent  calculus  rule  capturing 
continuity.  The  relevant  rule  is: 


□  [ajPiiO,  r  =»  A 
[aJO^j,  r  =4"  A 

which  violates  the  sub-formula  property,  but  in  a  managable  way.  Sequent  calculi  for 
S4F  and  S4C  are  investigated  in  [ADN97a]. 
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From  [RS63]  and  [Kur66],  the  converse  of  the  Cont  scheme, 

Open  :  □[a]^ 

characterizes  the  open  mapping  property.  All  instances  of  the  Open  scheme  are  true 
in  a  topological  structure  T  =  exactly  when  the  function  f  :  X  X  is 

such  that  for  all  U  the  image  /({/)  €  T,  since  the  latter  condition  holds  exactly 
when 

intr(f~^(A))  C  /~^(intr(A))  for  all  A  C  X] 

see  [RS63],  III, §3,  p.  99,  and  [Kur66],  I, §13, XIV.  For  total  f  :  X  X,  the  set  map 
:  'P{X)  ^{X)  is  a  (topological)  homomorphism  of  the  topological  Boolean  alge¬ 

bra  Q3r(X)  =  {V{X),  U,  n,  — ,  X,  0,  m^T-)  into  itself,  exactly  when  /  is  both  continuous 
and  open,  since  for  such  /  we  have: 

horn:  f~^{intT{A))  =  intr{f~^{A))  for  all  A  C  X 

and  commutes  with  all  the  Boolean  operations.  If  in  addition  to  horn,  f~^  is 
both  injective  and  surjective,  then  is  an  automorphism  of  the  algebra  tB^iX) 
onto  itself;  equivalently,  /  is  a  homeomorphism  of  X  onto  itself  ([RS63],  III,§3). 

In  this  study,  our  chief  interest  is  in  continuity. 

Definition  3.1.2  Let  K  =  {W,  R,  F)  be  a  Kripke  frame  for  £□„.  The  map  F  :  W 
W  is  called  R-monotone  iff  for  all  u;,u  G  W,  (w,v)  E  R  implies  {F{w),  T'{v))  G  R. 

Proposition  3.1.3  Continuity  in  Kripke  frames 

(a)  Let  K.  =  (IK,  R,  F)  be  a  Kripke  frame  for  Coa,  with  %ic  =  (kF,  7r,  F)  its  induced 
D-topological  structure. 

If  F  is  R-monotone  then  F  is  continuous  w.r.t.  Tr. 

(b)  Let  %  =  {X,T,f)  be  a  topological  structure  for  with  K.%  =  (X,  Rr^f)  its 
induced  Kripke  frame. 

If  f  is  continuous  w.r.t.  T  then  f  is  R'j- -monotone. 

Proof.  For  (a),  assume  F  is  R-monotone.  Then  for  arbitrary  AQW  and  w  G  IK, 

w  G  F~'^{intTn{A)) 

F{w)  G  intj-j^lA) 

^  {VzeW)[{F{w),z)E  R^  zeA] 

(Vug  VF) [(«;,«)  G  F(u)  G  A]  (*) 

(Vu  G  IK)[  (w,  v)  E  R  V  E  F~^{A)  ] 
w  E  intrp,CF~^ (a)) 


with  the  implication  (*)  a  consequence  of:  {w,v)  €  R  F{v))  €  R.  Hence 

F  ^ C  intj-n(F~^(A)),  and  so  F  is  continuous  with  respect  to  7r. 

For  (b),  assume  /  is  continuous  with  respect  to  T.  Recall  from  Definition  2.4.1 
that: 

{x,y)  G  Rr  iff  iW^r)[x€U  =>  ye  U] 

Now  fix  x,y  €  X,  assume  (i,  y)  €  Rj-,  and  let  f/  €  T  be  any  open  set.  Then 

f{x)eU  xGf~^{U)  =>  y  ^  ^  f{y)€U 

with  the  implication  holding  because  /"*({/)  €  T  (by  continuity  of  /)  and  (x,y)  6 
Rt •  Hence  {f{x),f{y))  €  Rt,  and  so  /  is  /?7'-monotone.  ■ 

Part  (b),  the  continuity  of  /  w.r.t.  T  implying  that  /  is  monotone  w.r.t.  Rt,  is  a 
variant  of  the  theme  of  “continuity  implies  monotonicity”  in  cpo  and  domain  theory. 
The  result  can  be  found  in  [Smy92],  Proposition  4.2.4.  It  is  part  (a),  while  not  deep, 
that  is  most  pleasing.  The  two  together  give  a  particularly  simple  characterization  of 
the  meaning  of  continuity  in  a  Kripke  frame. 


Definition  3.1.4  A  topological  structure  % —  for  /Iq^  is  called  continuous 

iff  f  is  continuous  with  respect  to  the  topology  T.  A  Kripke  frame  K.  =  {W,R,F)  for 
Coa  is  called  continuous  iff  F  is  R-monotone. 


Proposition  3.1.5  Duality  of  continuous  Kripke  and  D-topological  models 

(i)  Let  {K-,  rf)  be  a  continuous  Kripke  model  for  JCoa,  and  its  dual  contin¬ 

uous  D-topological  model.  Then  for  all  worlds  w  of  fC  and  all  formulas  ip  of 
Doai 

^  llv^ll^,  iff  w  ll-„  (p 

Hence 

h  V?  iff  Ih  ip 

(ii)  Let  (“1,0  he  a  continuous  D-topological  model  for  and  its  dual 

continuous  Kripke  model.  Then  for  all  states  x  of  %  and  all  formulas  (p  of  Coa, 

^  T  iff  xe  \\y?\\^ 

Hence 

iff 


Proof.  Immediate  from  Proposition  3.1.3  together  with  Proposition  2.4.12.  ■ 

Corollary  3.1.6  For  all  formulas  (p  of  Coa, 

%  \=  (p  for  all  continuous  D-topological  structures  T  for  Coa 
iff  }C\\-  (p  for  all  continuous  Kripke  frames  K  for  £oo 

Corollary  3.1.7  For  all  formulas  p  of  jCoa, 

p  for  all  continuous  Tq  D-topological  structures  %  for  Coa 
iff  K\\-  p  for  all  continuous  partially  ordered  Kripke  frames  tC  for  Coa 


It  is  readily  verified  that  all  instances  of  the  scheme 

Open  :  D[a](^  — >•  [ajDv? 

are  forced  in  a  Kripke  frame  K.  =  {W,R^F)  exactly  when  the  condition 

{F{w),u)^R  (3u  €  kP)[F(u)  =  u  &  (to,  u)  € /?]  (F-open) 

holds  for  all  w,u  ^  W.  This  condition  is  properly  stronger  than  the  converse  of 
/E-monotonicity: 

(F(to),  F(v))  €  F  (w,v)  e  R 

since  the  F-open  condition  can  fail  when  F  is  not  surjective;  i.e.  there  is  a  u  €  VP 
such  that  u  /  F{v)  for  all  v  G  W.  This  is  the  case  for  the  canonical  term  frame  of  a 
path  through  a  tableaux  in  Section  4.2. 

Observe  that  for  a  continuous  Kripke  frame  )C  =  (VP,  F,  F),  we  always  have 

F{B^)  =  {F(o)|(to,t;)GF} 

C  {u  I  (F(io),u)  6  F}  by  the  F-monotonicity  of  F 
=  Bf{w) 

and  the  inclusion  will  be  strict  whenever  there  is  a  it  G  VP  such  that  (F(io),u)  G  F 
but  u  ^  F{v)  for  any  v  such  that  (io,i;)  G  F;  i.e.  when  F  fails  to  be  an  open  map 
with  respect  to  the  cone  topology  Tr.  Note  also  that  the  only  way  F{Bw)  can  be  open 
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in  Tr  is  if  F{BJ)  =  because  Bp(^)  is  the  smallest  open  set  in  Tr  containing 

F{w),  and  F{w)  G  F{B^).  It  then  follows  that: 

(Vu;,ix  G  W)  [(iw,u)  e  {F{w),F{v))  G  R]  and 

{Ww,ue  W)  [(F(u;),u)  G  /?  (3u  G  W)[F{v)  =  uk{w,v)e  R]] 

for  all  w  eW,  F{B^)  =  Bp(^) 

^  for  all  U  eTR,  F-\U)  G  Tr  and  F{U)  G  Tr 
F  is  a  continuous  and  open  map  w.r.t.  Tr 

[a] 0^5  □[aj^p  for  all  formulas  ip  of  £□„ 

/C  Ih  [a]D^  □[a]y?  for  all  formulas  (p  of  Coa 


3.2  Hilbert-style  Proof  System 

Definition  3.2.1  The  Hilbert-style  proof  system  for  the  logic  S4C  has  as  its  axiom 
schemes  those  o/S4F  (Definition  2.2.1)  together  with  all  instances  of  the  scheme 

Cont  :  [a]D(^  ->  0[a](p 

in  the  language  £□„;  the  inference  rules  are  the  same  as  those  o/S4F. 

We  write 

S4C  \~R  (p 

or  say  (p  is  S4C//  provable,  if  the  formula  <p  G  £aa  has  an  S4C  Hilbert-style  deriva- 
tion. 


The  following  are  derivable  in  S4Ch,  for  any  formula  ip  G  Coa  and  fc  G  N. 

[a]*^Cont  :  [a]'’0(p 

[aj^OCont  :  0[a]V  [a]^C>(/j 

The  following  is  an  admissible  inference  rule  in  S4C/f ,  for  any  formulas  (p,  xf,  ^  G 
jCoa  and  k,l  E  N: 


Continuous 

Hoare  composition:  ip  ->•  [c]^Dx,  x 

V?  -?•  [a]*'+'nV’ 


Proposition  3.2.2  Soundness  of  S4C  Hilbert-style  proof  system 
For  all  formulas  cp  of  Coa,  If  S4C  hf/  (p, 

then  X  [=  Y*  for  all  continuous  topological  structures  %  for  Coa 
and  K,\\-  ip  for  all  continuous  Kripke  frames  1C  for  Coa  ■ 

Proof.  Immediate  from  Propositions  2.2.2,  3.1.1  and  3.1.6.  ■ 

As  for  S4F,  a  “cheap”  proof  of  Kripke  completeness  for  the  S4C  Hilbert-style 
proof  system  is  available. 


Proposition  3.2.3  Kripke  Completeness  of  S4C  Hilbert-style  proof  system 

There  exists  a  continuous  Kripke  model  {ICo,i]o)  ^^ot  for  all  formulas  cp  of 
T-Oa ) 

(/Co,  77o)  T  iff  S4C  \-H  <p 


Proof.  From  the  proof  of  Proposition  2.3.7,  the  canonical  Kripke  frame  K-o  = 
(IPo,f^,Fo)  satisfies: 


Wo  =  {UCC  QaJ  U  is  maximal  S4C-consistent} 
(f/,  V^)  G  Rq  iff  (ffT  ^  ■'Caa)[  ^ip  G  U  ^  V?  G  ] 
P'o{U)  =  {v?  e  I  [a\ip  G  c/  } 


with  the  canonical  valuation  for  K.q  given  by:  p  G  >ff  P  ^  U.  It  suflSces 

to  show  that  the  function  Fo,  which  “peels-off”  one  [a],  is  monotone  with  respect  to 
the  relation  Rq.  Fix  maximal  S4C-consistent  sets  f/,  V  and  a  formula  9?,  suppose 
(f/,  V)  G  Rq.  Then 


Uip  G  Fo{U) 

^  [a]Oip  e  U 
=>•  cdIuJv’  g  U 
[a]ip  G  V 
<p  C  Fo{V) 


property  of  Fo 
Cont  axiom 
definition  of  Rq 
property  of  Fo 


Hence  (Fo(f7),  Fo(V’))  G  Ro,  as  required.  ■ 


3.3  Quotient  Kripke  Frames  and  To  Topologies 

This  section  examines  the  To  quotient  construction,  and  the  dual  construction  of 
a  partially-ordered  Kripke  frame.  We  identify  a  class  of  valuations  which  can  be 
faithfully  passed  through  to  To  quotients.  The  first  task  is  to  formalize  the  notion  of 
a  quotient  of  a  Kripke  frame  in  our  setting. 


Definition  3.3.1  Let  K,  =  {W,R,F)  and  fC'  =  {W\R',F')  be  Kripke  frames  for 
Loai  and  let  h  :  IV'  be  a  surjective  map. 

We  say  the  frame  1C'  is  a  quotient  under  h  of  the  frame  JC  iff 

(a)  h  preserves  the  accessibility  relations  R  and  R' :  for  all  w,v  €  W, 

{w,v)  e  R  {h{w),h{v))  e  R' 

(b)  h  preserves  the  functions  F  and  F' : 

F' oh  =  ho  F 

1C  is  called  the  minimal  quotient  under  h  oi  K,  iff  for  all  iw,  w  G  VK, 

{h{w),h{v))  e  R'  (w,v)eR 


Lemma  3.3.2  Given  a  Kripke  frame  K,  —  {W,  R,  F)  for  Coa  o-nd  a  surjective  map 
h:W  -^W'  onto  a  non-empty  set  W',  any  structure  1C  =  {W,  R',  F')  satisfying: 

(1)  C  W'  X  W'  is  such  that  for  all  w,v  E  W, 

{h{w),h{v))  e  R'  ^  (w,v)€R 

(2)  F' :  >  W  is  such  that  for  all  w  €  W, 

F'{h{w))  =  h{F{w)) 

is  a  Kripke  frame  for  and  the  minimal  quotient  under  h  of  1C. 

Moreover,  if  1C  is  a  continuous  Kripke  frame,  then  1C  is  also  continuous. 

Proof.  Clause  (1)  guarantees  that  R'  is  a  reflexive  and  transitive  binary  relation  on 
W',  and  by  the  surjectivity  of  h,  the  equation  in  clause  (2)  defines  a  total  function 
F'  on  W'.  If  F  is  R-monotone,  then  for  all  w,v  eW, 

{h{w),h{v))  E  R' 

^  {w,v)eR  (1) 

=>■  {F[w),  F(v))  E  R  monotonicity 

^  (/i(F(u;)),/i(F(u)))  G  f?'  (1) 

^  iFXh{w)),F'{h{v)))ER'  (2) 


Hence  F'  is  /2'-monotone.  ■ 


Recall  from  Lemma  2.4.8,  part  (a),  that  iii  a  Kripke  frame  K.  =  (fV,  R,  F),  with 
its  induced  topology  Tr  on  W ^ 

(lu,  u)  G  R  and  (v,w)  E  R  iff  (Vf/  G  7r)[  w  ^  U  i>Gt/]. 

i.e.  zn  and  u  belong  to  all  the  same  open  sets  in  7r.  So  we  call  the  quotient  which 
identifies  all  such  w  and  v  the  To  quotient  of  JC. 

Proposition  3.3.3  Let  K,  =  {W,R^F)  be  a  continuous  Kripke  frame  for  £□„.  For 
each  w  G  W ,  let: 

zu  =  {u  G  I  (zu,  z;)  G  R  and  {v,w)  G  R} 

Let  =  {z2>  I  zo  G  and  let  h  :  W  W°  be  the  surjective  map  given  by 

h(w)  =  w. 

Then  the  structure  Kf^  =  (VT®,  F®)  defined,  for  all  w,v  E  W ,  by: 

(i)  {h{w),h{v))  E  Rf  iff  {^,0)  E  R;  and 

(ii)  F°(/z(zu))  =  h{F{w)) 

is  a  Kripke  frame,  and  Kf*  is  the  minimal  quotient  under  ha  of  K.. 

Moreover,  /C®  is  a  continuous  Kripke  frame,  and  the  relation  F®  is  a  partial  order, 
so  its  induced  topology  Tro  on  VF®  is  Tq.  The  frame  Kf  xvill  be  called  the  To  quotient 
ofK. 

Proof.  First  observe  that  the  F-monotonicity  of  F  is  what  is  needed  to  ensure  that 
the  function  F®  is  well-defined  by  (ii)  (i.e.  this  quotient  construction  is  not  available 
for  arbitrary  Kripke  frames),  and  F°  is  F®-monotone  by  Lemma  3.3.2.  The  anti¬ 
symmetry  of  the  relation  F®  is  immediate  from  the  definition  of  the  quotient  map  h. 


We  now  turn  to  the  topological  quotient. 


Definition  3.3.4  Let  %  =  (X,  7*, /)  be  a  continuous  topological  structure  for  jCoa- 
Define  an  equivalence  relation  =0  on  X  by: 

x=oy  iff  {WEr)[xEU^yEU]; 


equivalently, 

X  =oy  iff  {x,  y)  E  Rt  and  (z/,  x)  E  Rt 

where  Fr  is  the  relation  induced  by  T.  Let  x  =  {y  E  X  \  x  =q  y}  denote  the 
equivalence  class  of  x  under  =0,  and  let  X®  =  {x  |  x  G  X}  be  the  set  of  equivalence 


classes.  Let  q  :  X  be  the  surjective  map  given  by  q{x)  =  x.  The  map  q  is 

called  the  Stone  map  for  X.  Then  q  induces  a  unique  quotient  tovoloav  T°  on  X^- 
for  subsets  V  C  X°, 

Ve'T  iff  q-\v)er 

By  standard  arguments  (see,  for  example  [Th66],  Theorem  Ij.S),  'P  is  a  To  topology 
on  X°  and  the  Stone  map  q X  X°  is  both  open  and  closed,  as  well  as  (trivially) 
continuous.  Define  :  X^  — >■  X^  to  be  the  unique  map  satisfying 

foqz^qof 

Then  (by  standard  arguments)  f  is  well-defined  on  the  quotient  and  continuous  with 
respect  to  the  quotient  topology  'P.  Hence  P  =  (X<^,P,f°)  is  a  To  continuous 
topological  structure,  called  the  Tq  quotient  o/X. 


The  Kripke  frame  and  topological  Tq  quotient  constructions  clearly  commute  with 
the  duality  transformations  /C  1-4  Xx:  and  X  i-4  between  continuous  Kripke  frames 
and  continuous  D-topological  structures. 

Proposition  3.3.5  Let  K  =  {W,R,F)  be  a  continuous  Kripke  frame  for  Coa,  with 

T/c  =  {W,Tr,F)  its  induced  D-topological  structure,  and  P  =  {W°,RP,F°)  its  T 
quotient.  >  ’  /  0 

^  Then  the  Tq  quotient  of%^,  and%^o,  the  induced  D-topological  structure  of 
fC  ,  are  identical  topological  structures. 

Dually,  let  X  =  (X,T,f)  be  a  continuous  D-topological  structure,  with  Kx  = 
(X,  Rr,  f)  its  induced  Kripke  frame,  and  X®  =  (X®,  P,  f)  its  To  quotient.  — 

Then  /Cj,  the  Tq  quotient  of  K%,  and  fC^p ,  the  induced  Kripke  frame  of  X®,  are 
identical  Kripke  frames.  ’ 

Proof.  Immediate.  ■ 


Corollary  3.3.6  If  %  —  {X,T,  /)  is  a  continuous  D-topological  structure 
and  X°  =  {X^,P ,  /°)  is  its  Tq  quotient,  then  P  is  a  D-topology. 


for  Cua 


Having  established  the  structure  of  topological  and  Kripke  To  quotients,  we  turn 
to  the  question  of  how  a,nd  when  a  valuation  of  atomic  propositions  in  a  topological  or 
Kripke  model  can  be  faithfully  passed  through  to  the  corresponding  To  quotient.  We 

start  with  a  lemma  on  how  the  quotient  map  behaves  with  the  interior  and  inverse- 
image  operators. 


Lemma  3.3.7  Let  T  =  (X,  T, /)  he  a  continuous  topological  structure  for  Coa  and 
let  T®  =  (X°,T®,/°)  be  its  To  quotient,  with  q  :  X  X®  the  Stone  map.  Then  for 
all  A  C  X®, 

q-^an-^A))  =  f-^{q-\A)) 
q  ^  {intro  (A))  =  intr{q 

Proof.  The  first  formula  is  immediate  from  the  defining  equation  for  /®,  namely 
f°  o  q  =  q  o  f.  For  the  second  formula,  the  inclusion 

{intro{A))  C  intr 

for  A  C  X®,  is  derivable  using  only  the  fact  that  q~^  commutes  with  arbitrary  unions 
and  is  inclusion  monotone,  together  with  the  defining  property  of  the  quotient  topol¬ 
ogy:  y  G  7^  iff  €  T,  for  V  C  X®.  For  the  converse  inclusion  of  the  second 

formula,  observe  that  the  subset  q  {intr  {q~^ (A)))  of  X®  is  open  w.r.t.  7^,  since 
q  :  X  — >  X®  is  an  open  map  and  intr{q~^{A))  is  trivially  open  w.r.t.  T.  So  to  prove: 

q{intr{q~^{A)))  Cintro{A)  (#) 

it  suffices  to  show: 

q{intr{q~'{A)))  C  A  (*) 

and  (*)  is  readily  verified  using  basic  properties  of  intr  and  q~^ .  The  desired  inclusion 
then  follows  from  (^)  by  applying  q~^  to  both  sides.  ■ 

Given  %  =  {X,T,f)  continuous,  with  T®  =  (X®,7^,/®)  its  To  quotient  and 
q  :  X  ->  X®  the  Stone  map,  the  preceding  lemma  suggests  that  we  try  to  pass  a 
valuation  ^  :  AP  — >•  'P(X)  through  to  the  quotient  by  defining  ^®  :  AP  — >  P(X®)  by: 

q{x)  6  f{p)  iff  X  €  C{p) 

for  all  p  6  AP  and  x  €  X.  Provided  ^®  is  well-defined,  we  then  get  the  base  case  of 
an  induction  proving: 

9"^  (lIV’ll^o)  =  Ikll^ 

The  well-definedness  of  ^  requires  that  if  q{x)  =  q{y)  then  for  all  p  G  AP,  x  G  ^(p) 
iff  y  G  ^{p)-  Since  q(x)  =  q{y)  iff  (x,j/)  G  Rr  and  {y,x)  G  Rr,  well-definedness  can 
be  characterized  in  terms  of  the  induced  relation  Rr- 


Definition  3.3.8  7o-consistent  valuations 


Let  %  =  {X,T,f)  be  a  continuous  topological  structure  for  Coa,  with  Rr  the 
relation  induced  by  T .  A  valuation  ^  :  AP  — >  for  %  is  called  7o-consistent  iff 

for  all  x,y  e  X, 

(a;,  y)  6  %  implies  (Vp  €  AP)[  x  €  (f(p)  y  6  ^(p)  ] 

Let  X  =  {W,R,F)  be  a  Kripke  frame  for  £□„.  A  valuation  rj  :  W  V{AP)  for 
X  is  called  To-consistent  iff  for  all  w,v  ^  W, 

(w,v)  G  R  implies  t]{w)  C  t]{v) 
i.e.  T]  is  inclusion-monotone  with  respect  to  R. 


So  the  To-consistency  condition  for  valuations  is  essentially  monotonicity,  remi¬ 
niscent  of  the  monotonicity  requirement  for  valuations  in  the  (partial-order)  Kripke 
semantics  for  Intuitionistic  logic.  Observe  that  if  ^  is  an  open  valuation  for  X,  i.e. 
({p)  ET  for  all  p  6  AP,  then  ^  is  To-consistent. 

Theorem  3.3.9  Let  T  =  (X,  1~,  f)  be  a  continuous  topological  structure  for  Coat 
let  X*  (X  ,  f  ^  be  its  Tq  guotient,  with  g  i  X  — ^  X^  the  Stone  map,  and  let 
^  :  AP  — >  V{X)  be  a  To-consistent  valuation  for  T. 

Define  a  valuation  :  AP  'P(A’°)  for  ^  by: 

q{x)  G  ^°(p)  iff  xe  i{p) 

for  all  p  G  AP  and  x  €  X, 

Then  for  all  <p  G  Coa, 

9"^  (llv^ll^o)  =  Iklle 

Hence 

-  iff  (T.flhv’ 

Proof.  Proceed  by  induction  on  formulas  ip  of  Coa-  The  To-consistency  condition 
guarantees  that  the  valuation  ^  is  well-defined,  in  which  case 

9"^  (^°(p))  =  ^(p) 

for  atomic  propositions  p  G  AP.  For  the  induction  cases  of  — >•,  □  and  [a],  respec¬ 

tively,  we  use  the  formulas: 


9-^  {-A  ) 
q-^{-A  U5) 
q~^  {int'fo{A)) 
<i-Hin-\A)) 


-9  HA) 

-q-^  {A){Jq-^  (B) 
intr{q-^{A)) 
{q-\A)) 


with  the  latter  two  coming  from  Lemma  3.3.7. 

Then  since 

|M|^o  =  x«  ^  9-‘(|MI,o)=x 

with  the  (=^)  direction  from  the  totality  of  q,  and  the  (<^=)  direction  by  the  surjectivity 
of  9,  we  have 

(T»,|<’)l=v>  iff  (ff.Ohv’ 


Corollary  3.3.10  Let  K,  =  {W,R,F)  be  a  continuous  Kripke  frame  for  Coa, 

/C®  =  {W°,  F®)  be  its  To  quotient,  with  h  :  W  VF®  the  quotient  map,  and  let 

T]  :W  ^  V{AP)  be  a  To-consistent  valuation  for  K.. 

Define  a  valuation  77®  :  — >•  V{AP)  for  KP  by: 

T}^{h{w))  =  T]{w) 

for  all  w  G  W. 

Then  for  all  (p  €  £ao  o^^d  all  w  €  W, 

h{w)  Ih^o  if)  iff  w  lh„  ip 

Hence 

iff  (c,,)ihv> 

Proof.  The  To-consistency  of  77  :  IT  — )■  V{AP)  implies  that  its  dual  valuation 
:  AP  — >  V{W)  for  the  induced  topological  structure  T/c  is  To-consistent,  using  the 
fact  that  =  R  from  Proposition  2.4.10.  Then  apply  Theorem  3.3.9,  together  with 
Propositions  3.3.5  and  3.1.5.  ■ 

It  is  clear  that  an  arbitrary  valuation  for  a  continuous  topological  structure  or 
Kripke  frame  cannot  be  passed  faithfully  through  to  the  To  quotient.  From  Kripke’s 
[Kri63],  the  formula: 

0(np  V  □-’p) 

is  not  S4  provable,  but  it  is  true  in  every  S4  Kripke  frame  )C  =  {W,R)  with  the 
property  that  for  each  w  €  W,  there  is  a  terminal  world  v  such  that  (w,v)  G  R.  A 
world  V  is  terminal  if  (v,u)  G  R  iff  u  =  v.  Every  X  =  (VF,  il)  with  W  finite  and 
R  a  partial  order  has  the  “access  to  a  terminal  world”  property.  In  Section  4.5,  we 
will  establish  that  S4C  is  complete  for  the  class  of  finite  continuous  Kripke  frames 
for  Coai  but  applying  Kripke’s  observation,  S4C  cannot  be  complete  for  the  class  of 
finite  continuous  partially  ordered  Kripke  frames  for  Coa- 


Recall  from  Section  1.3  that  the  natural  analog-to-digital  conversion  map  for  a 
D-space  is  the  Stone  Tq  quotient.  Let  T  =  {X,T,f)  be  a  structure  with  /  continuous 
and  r  a  finite  D-topology.  Let  {B, •},£/,  where  I  =  {l,.,.,n},  be  the  basis  for  T 
obtained  by  taking  all  the  non-empty  join-irreducibles  in  the  (finite)  lattice  T,  so 
that  for  each  i  G  /,  there  is  an  x  €  X  such  that; 

Bi  =  B,  =  f]{U  e  r  I  X  G  f/} 

and  for  each  x  G  X,  Bx  =  Bi  for  some  i  ^  I.  Then  the  analog-to-digital  conversion 
map  AD  :  X  I  is  given  by: 


AD{x)  =  i  iff  Bi  =  Bx 

Let  =  (X°,  T®,  /°)  be  the  To  quotient  of  T,  with  9  :  X  X®  the  Stone  map.  The 
mapping  d :  X®  — )•  I  given  by  d{q{x))  =  AD{x)  is  well-defined,  since: 

q{x)  =  q{y)  iff  {W  €  T)[  x  G  t/  y  G  t/  ]; 

moreover,  it  establishes  a  bijection  between  X°  and  I.  If  I  is  partially  ordered  by: 
i  ^  j  iff  Bj  C  Bi,  and  then  given  the  Alexandroff  topology  7<  generated  by  the  upper 
cones  under  it  is  readily  verified  that  d  is  a  homeomorphism. 

Theorem  3.3.9  says  that  if  we  want  satisfiability  and  truth  in  models  (X,  T,  /;  () 
to  pass  faithfully  to  the  finite  To  quotient  (X®,  T^, /®;  ^®)  under  the  AD  map,  we 
must  be  careful  with  the  choice  of  valuations  In  practice,  this  is  not  a  problem, 
since  atomic  propositions  will  typically  be  evaluated  by  the-basic  open  sets  Bi,  and 
as  noted  above,  any  open  valuation  is  To  consistent. 


Chapter  4 

Tableaux  Proof  Systems 


4.1  S4F  and  S4C  Tableaux 

In  this  chapter,  we  give  a  detailed  presentation  of  a  tableaux  proof  system  for  the 
logics  S4F  and  S4C.  The  system  is  an  extension  of  the  treatment  of  modal  tableaux 
in  [NS93]  and  [Ne90],  which  is  in  turn  a  descendant  of  the  modal  prefixed  tableaux 
systems  of  Fitting  [Fi72]  and  [Fi83]  Ch.  8.  The  essential  idea,  which  traces  back  to 
Fitch,  is  to  add  to  the  formal  language  of  proofs  symbols  intended  to  name  possible 
worlds  in  Kripke  models,  taking  to  heart  the  central  idea  of  Beth  [Be59]  that  the 
construction  of  a  tableaux  proof  is  an  attempt  to  build  a  countermodel.  So  to  give 
symbolic  representation  to  such  models,  I  include  in  the  formal  language  of  proofs  not 
only  symbols  for  possible  worlds,  but  also  symbols  for  both  the  accessibility  relation 
and  the  function. 

A  tableaux  is  a  labeled  binary  tree,  where  the  labels,  called  entries,  are  of  two 
sorts: 

•  signed  forcing  assertions  T[t\\-  ip]ox  F[t\\-  tp  ],  and 

•  modal  accessibility  assertions  tRs, 

where  the  terms  t,s  are  functional  terms  generated  from  a  set  of  primitive  world 
symbols  by  applying  the  unary  function  symbol  F. 

The  root  entry  of  a  tableaux  will  always  be  a  signed  forcing  assertion  in  which  the 
term  t  is  required  to  be  a  primitive  world  symbol  w.  The  tableaux  construction  rules, 
for  extending  a  path  in  a  tree,  correspondingly  represent  two  sorts  of  inference: 

•  rules  for  the  logical  analysis  of  signed  forcing  assertions  T[  t  Ih  (/?  ]  or  F’[  t  Ih  9?  ], 
in  terms  of  the  principle  connective  or  modal  operator  of  the  formula  9?,  designed 
to  capture  the  various  clauses  of  the  inductive  definition  of  forcing,  and 
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•  rules  for  the  accessibility  relation,  capturing  the  reflexivity  and  transitivity  of 
R,  and  for  the  class  of  S4C  tableaux,  a  rule  capturing  the  monotonicity  of  F 
with  respect  to  R. 

In  the  course  of  constructing  a  tableaux,  complex  formulas  (p  are  broken  down  while 
complex  terms  t  are  built  up. 

A  formula  v?  has  a  tableaux  proof  exactly  when  all  paths  through  a  tableaux  with 
root  F[  Wo  lb  ((5  ]  are  contradictory,  while  a  non-contradictory  path  P  through  a 
“finished”  tableaux  with  root  F[  Wq  lb  97  ]  gives  us  the  symbolic  material  to  construct 
explicitly  a  Kripke  frame  JCp  and  a  valuation  r/p  such  that  Wq  (p.  Symmetrically, 
from  a  non-contradictory  path  P  through  a  “finished”  tableaux  with  root  T[  Wq  lb  c/j  ], 
we  can  show  that  in  the  Kripke  model  {ICp,r]p),  we  have  Wq  Ib,,^  (p. 

Definition  4.1.1  LetW  be  a  countable  set  of  world  symbols  and  let  F  be  a  unary 
function  symbol.  Let  W(F)  be  the  set  of  terms  generated  from  W  under  F;  i.e.  the 
free  term  algebra.  A  t  ^  W(F)  is  called  a  world  term.  So  every  world  term  t  £  W(F) 
is  of  the  form  F''(w)  for  some  world  symbol  w  e  W  and  integer  k>Q,  where  F°(w) 
is  w.  Terms  F*(w)  for  k  >  0  are  referred  to  as  complex  world  terms,  while  world 
symbols  w  G  W  are  called  simple  world  terms. 

Definition  4.1.2  For  a  signed  forcing  assertion  of  the  form: 

T[t\tip]  or  F[flb(^] 

the  world  term  t  is  said  to  be  the  subject  of  the  assertion,  and  the  formula  ip  is  said 
to  be  the  object  of  the  assertion. 

If  I  F  (w,  )  then  t  is  said  to  be  relevant  to  any  signed  forcing  assertion  which 
has  Wi  as  its  subject. 

We  assume  we  have  a  fixed  enumeration  {w,-  j  i  €  N}  of  W.  In  the  section  on 
completeness,  we  will  also  have  need  of  a  fixed  enumeration  of  all  the  world  terms  in 
W(F),  where  set- wise  W(F)  S  N  x  N.  Let  p  :  N  x  N  N  be  the  standard  bijective 
pairing  function 

p{i,k)  —  i+i  (n  -h  1)  I  =  ^  ((i  -p  kf  -h  3i  +  k) 

\n<i+k  J  ^ 

We  then  take 


{sj  I  i,k,j  e  N  and  j  =  p{i,k)  and  Sj  =  F*^(w,)} 


3s  our  enumeration  of  W(F).  We  also  have  need  for  well-ordered  index  sets.  We 
write  /  :^  N  to  mean  I  is  either  a  non-empty  finite  initial  segment  of  N  or  else  all  of 
N,  and  we  write  0  N  to  allow  the  possibility  that  I  is  empty. 


Definition  4.1.3  The  following  labeled  binary  trees  are  atomic  tableaux,  where  p  G 


AP,  €  Coa,  and  t,s  €  W(F). 

(T-AP)  T[t\\-p] 

(F-AP)  F[t\\-p] 

(T-)  T[ 

(F-) 

F[  nt-  -V?  ] 

1 

F[t\\-(p] 

I 

r[  nf-  9?  ] 

(T^)  T[t\l-<p^rP] 

/ 

F[  <  It-  (/?  ] 

\ 

T[t\\-tl>] 

{F  — >)  F[t  \\-  ip  x/} 

T[t\\-p] 

1 

1 

F[t\\-xl;] 

(TO)  T[t\\-o^] 

1 

(FO) 

F[t\\-  D<p] 

1 

1 

T[5  Ih  9?] 

1 

fRwj  Wj  E  W  new 

if  occurs  previously 

on  this  path 

I 

F[w;lhv,l 

(TH)  T[t\\-[a]^] 

im 

FI  i  II-  [a\if  1 

1 

T|  F(t)  Ih  ^  ] 

1 

F[F(i)  ll-,f.| 
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Definition  4.1.4  The  class  o/S4F  tableaux  is  defined  inductively  as  follows: 

(i)  Ifr  is  an  atomic  tableaux  in  which  the  world  term  t  in  the  root  entry  is  a  world 
symbol  w,-  e  W,  then  r  is  an  S4F  tableaux. 

For  the  case  (FD),  the  condition  that  the  Wj  in  w.-Rw^  be  “new”  merely  means 
that  j  ^  i;  for  definiteness,  we  may  take  j  =  z -f  1. 

For  the  case  (ro),  the  condition  that  fRs  “occurs  previously  on  this  path” 
cannot  be  satisfied  in  this  case,  so  an  atomic  tableaux  r  with  root  entry 
T\  w,-  ll-  Dip  ]  consists  of  the  root  node  only. 

(n)  Ifr  IS  a  finite  S4F  tableaux,  P  is  a  path  in  r  which  does  not  contain  contradic¬ 
tory  entries: 

T[t\\-  ip]  and  F[t\\-  (p] 

for  any  ip  6  Coa  and  t  e  W(F),  and  r'  is  constructed  from  t  by  extending  P 
using  one  of  the  following  construction  rules,  then  r'  is  an  S4F  tableaux. 

(Develop)  A  signed  forcing  assertion  E  occurs  on  P  and  r  is  constructed  from 
r  by  appending  an  atomic  tableaux  with  root  entry  E  to  the  end  of  the  path 

For  the  case  (FD),  where  E  is  of  the  form  F[  t  Ih  Dip  ],  the  condition  that 

the  Wj  in  tRwj  be  “new”  means  that  j  eN  is  the  least  integer  such  that 
Wj  is  yet  to  occur  in  any  entry  on  r . 

For  the  case  (FD),  where  E  is  of  the  form  T[  t  IH  Uip  ],  the  condition 
that  <R5  “occurs  previously  on  this  path”  means  that  tRs  is  an  entry  on 
P.  If  there  are  no  entries  tRs  on  P,  for  any  s  €  W(F),  then  as  in  (i),  the 
atomic  tableaux  in  this  case  consists  only  of  the  root  node  labelled  E. 

(R-Reflex)  A  world  term  t  G  W(F)  is  relevant  to  some  signed  forcing  assertion 
on  P,  and  r  is  constructed  from  r  by  adjoining  to  the  end  of  P  an  entry 
tRt. 

(R-Trans)  For  some  t,s,r  e  W(F),  accessibility  assertions  tRr  and  rR^  both 
occur  as  entries  on  P,  and  t'  is  constructed  from  r  by  adjoining  to  the  end 
of  P  the  entry  tRs. 

(iii)  If  I  ■<  N  and  is  a  sequence  of  finite  S4F  tableaux  such  that  tq  is  an 

atomic  tableaux  and  for  each  n  <  sup(/),  is  constructed  from  t„  by  an 

application  of  clause  (ii),  then  r  =  t„  is  an  S4F  tableaux. 


Definition  4.1.5  Let  r  be  an  S4F  tableaux. 

•  A  path  P  in  T  is  contradictory  if  for  some  tp  6  £□«  t  6  W(F),  both: 

T[t\\-  (f]  and  F[t\\-  p>\ 

are  entries  on  P. 

•  T  is  contradictory  if  every  path  in  r  is  contradictory. 

•  T  is  a  tableaux  proof  of  <p  ^  Coa  if  t  has  root  entry  F[  w,-  lb  (p  ],  for  some 
Wj  6  W,  and  r  is  contradictory. 

We  write 

S4F  \~'j'  p 

if  the  formula  p  €  Coa  has  an  S4F  tableaux  proof. 

Note  that  by  clause  (ii)  of  the  definition  of  S4F  and  S4C  tableaux,  only  non¬ 
contradictory  paths  can  be  extended,  thus  any  contradictory  path  is  finite.  Hence  if 
r  is  a  contradictory  tableaux,  then  by  Konig’s  Lemma,  r  is  finite. 


1 

F[  Wo  lb  [a]{p  {[a]p  -)•  [c]V’)  ]  / 

2 

r[  Wo  lb  [a]{<p  -4  ^)  ]  / 

U(F-,) 

3 

F[  Wo  lb  [a]p  ->  [c]ip  ]  / 

l:(F-») 

4 

T[  Wo  lb  [a]p  ]  / 

3:(F->) 

5 

F[wolb[a]^]  / 

3:(F^) 

6 

F[  F(wo)  lb  i>  ] 

5:(F[o]) 

7 

r[  F(wo)  lb  V’ ]  ■/ 

2:(7’[a]) 

8 

r[F(wo)  ihp] 

4:(rw) 

^  F[F{wo)\^p]  7:{T^)  r[F{wo)ll-V>]  7:(r -^) 

®  8,9  (8)  9,6 


Figure  4.1:  S4F  tableaux  proof  of  axiom  [a]K 


As  stated  in  the  (Develop)  construction  rule,  the  signed  forcing  assertion  E 
that  is  being  developed  should  formally  be  repeated  when  the  corresponding  atomic 
tableaux  is  appended  to  the  path  P.  In  our  examples  above,  we  omit  this  repetition 
as  a  notational  convenience. 

Let’s  start  by  giving  tableaux  proofs  of  the  [a]  axioms,  found  in  Figures  4.1  and 
4.2. 


1 

F’[  w  Ih  -^[a](p  ->  [a]-i(^  ]  / 

2 

T[  w  Ih  -'[a]^  ]  / 

l:(f 

3 

F[  w  Ih  [aj-iyj  ]  / 

1:(F 

4 

F[  w  Ih  [a]v?  ]  / 

5 

F\  F(w)  II — 1(^  ]  </ 

3:(F(al) 

6 

F[F(w)  Ihv^] 

4;(FM) 

7 

T[  F(w)  Ih  ip  ] 

5:(F^ 

7.6 

1 

F[  w  Ih  [aj-iv? -)• -.[a]v?]  / 

2 

r[  w  Ih  [a]-i9?  ]  / 

1:(F 

3 

F[  w  II — '[o\ip  ]  ■/ 

l:(F-») 

4 

T[  w  Ih  [a]ip  ]  / 

3:(F^) 

5 

T[  F(w)  II — 193  ]  / 

2:(7’H) 

6 

F[  F(w)  Ih  95  ] 

5:(T^) 

7 

r[  F(w)  Ih  ip  ] 

4:(r[a)) 

(2) 

7,6 

Figure  4.2:  S4F  tableaux  proofs  of  axioms  [a]D  and  [a]Dc 


To  see  that  the  [a]-necessitation  rule  of  the  Hilbert-style  proof  system  is  preserved 
in  S4F7',  assume  S4F7’  h  and  let  r  be  a  tableaux  proof  with  root  F[  Wo  Ih  ip  ]. 
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Now  let  w,-  be  a  world  symbol  that  does  not  occur  in  r,  and  consider  the  atomic 
tableaux: 

1  F[  w,- Ih  [ajv?  ]  / 

2  F[F(w.)lf-(^]  l:(F[a]) 

Let  t'  be  the  result  of  substituting  the  world  term  F(w,)  for  Wq  throughout  r.  Note 
that  since  Wq  is  the  subject  of  the  root  entry  of  r,  the  only  accessibility  assertion 
containing  Wq  that  can  occur  in  r  is  WoRwo-  Appending  t'  to  the  atomic  tableaux 
above  will  create  a  tableaux  proof  t  of  [a](/?.  Hence  S4Ft  b  [ajv’- 

The  verification  of  the  O-necessitation  rule  is  similar.  Assume  S4Fr  b  y?,  and  let 
r  be  a  tableaux  proof  with  root  F[  Wo  lb  (/5  ].  Now  let  t  6  N  be  such  that  if  Wj  occurs 
in  any  entry  in  r,  then  j  <  i.  Consider  the  atomic  tableaux: 

1  F[  w,-  If-  ]  / 

2  w,-Rw,+i  1:(FD) 

3  Ffw.+ilbyp]  l:(Fn) 

Let  t'  be  the  result  of  substituting  w,+i  for  Wq  throughout  r.  Appending  r'  to  the 
atomic  tableaux  above  will  create  a  tableaux  proof  r  of  0(p.  Hence  S4Fr  b  Dip. 

For  modus  ponens,  the  construction  of  a  tableaux  proof  of  xj)  from  tableaux  proofs 
of  9?  and  ip  -¥  xl)\s  essentially  equivalent  to  giving  a  cut-elimination  algorithm  for  the 
corresponding  sequent  calculus. 

Now  consider  an  S4F  tableaux  for  the  continuity  axiom: 

Cont  :  — >■  C][a](^ 

given  in  Figure  4.3,  where  we  take  ip  to  be  any  fixed  atomic  proposition  p  €  AP. 

By  inspection  of  the  tableaux,  what  we  need  is  F(wo)  RF(  Wi),  so  that  from  (5) 
by  (TO),  we  would  get  T[  F(  Wi)  lb  p  ],  and  a  contradiction  with  (12). 

Definition  4.1.6  The  class  of  S4C  tableaux  is  an  extension  of  the  class  of  S4F 
tableaux  obtained  by  adding  to  clause  (ii)  in  Definition  f.l.f  the  additional  construc¬ 
tion  rule: 

(F-Cont):  An  accessibility  assertion  tRs  occurs  as  an  entry  on  P, 
and  T  is  constructed  from  r  by  adjoining 
to  the  end  ofP  the  entry  F(f)RF(s). 

We  write 

S4C  by  ip 

if  the  formula  ip  €  Caa  has  an  S4C  tableaux  proof,  where  the  notion  of  tableaux  proof 
for  S4C  is  the  same  as  that  for  S4F. 

Of  course,  we  now  trivially  have  an  S4C  tableaux  proof  of  the  continuity  axiom. 
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1 

F[  Wo  Ih  [a] Op □[a]p]  / 

2 

r[wolh[a]Dp]  / 

h(F 

3 

F[  Wo  11- □[a]p]  / 

4 

WqRWo 

1:(R- Reflex) 

5 

T[  F(wo)  IhOp]- 

2:(T[a]) 

6 

F(wo)RF(wo) 

1:(R- Reflex) 

7 

WqRWi 

3:(FD) 

8 

F[  wi  If-  [a]p  ]  / 

3:(Fn) 

9 

WiRwj 

8:(R-Reflex) 

10 

T[  F(wo)  II-  p  ] 

5,6:(ra) 

11 

F2(wo)RF2(wo) 

1:(R- Reflex) 

12 

F[F(wi)  Ihp] 

8:{F[a]) 

13 

F(wi)RF(wi) 

8:(R-Reflex) 

no  contradiction 

Figure  4.3:  S4F  tableaux  for  axiom  Cont 


4.2  The  Term  Frame  of  a  Path 

The  great  attraction  of  semantic  tableaux  a.s  a  proof  system  is  that  the  construction  of 
a  tableaux  proof  is  simultaneously  an  attempt  to  build  a  countermodel.  This  section 
gives  a  careful  account  of  the  term  frame  of  a  path  through  a  tableaux. 


Definition  4.2.1  Let  r  be  an  S4F  tableaux  and  let 
We  associate  with  P  a  unique  Kripke  frame  Kp 
frame  for  P,  as  follows. 

Let  Wq  be  the  set  of  all  world  symbols  w*  6 


P  be  a  path  through  r. 

=  {Wp^  Rp^  Fp),  called  the  term 


that  are  the  subject  of  a  signed 
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forcing  assertion  on  P.  Let 


Wp  =  {F^(w,)  I  w.-  e  Wo  and  keN} 

i.e.  Wp  C  W(F)  is  the  smallest  subset  o/W(F)  that  contains  all  world  terms  that  are 
the  subject  of  some  signed  forcing  assertion  on  P  and  is  also  closed  under  application 
o/F.  [Note  that  Wp  is  always  countably  infinite.] 

The  relation  Rp  on  Wp  is  defined  to  be  the  reflexive  and  transitive  closure  of  the 
relation  R  on  Wp  defined  by: 

{t,s)  E  R  tUs  is  an  entry  on  P 

for  all  t,s  E  Wp.  That  is, 

Rp=\jRm 

meN 

where 


Ro  =  {{t,t)  I  t  €  Wp},  the  identity  relation  on  Wp 

Ri  =  R  =  {(<,  s)  6  Wp  X  Wp  I  tKs  is  an  entry  on  P} 

Rm  u  {(f,5)  I  (3r  e  Wp)  {t,r)  e  Rm  a-nd  (r,s)  G  Rm) 

Define  a  function  Fp  :  Wp  — >  Wp  by 


Fp{t)  =  F(0 


for  all  t  G  Wp;  i.e.  Fp  is  the  term  constructor  function  on  Wp. 


Definition  4.2.2  -Let  r  be  an  S4C  tableaux  and  let  P  be  a  path  through  t.  We 
associate  with  P  a  unique  Kripke  frame  )Cp  =  {Wp,  Rp,  Fp),  called  the  term  frame  for 
P,  as  follows. 

The  set  of  world  terms  Wp  as  well  as  the  function  Fp  :  Wp  — >  Wp  is  the  same  as 
in  Definition  4.2.1. 

The  relation  Rp  on  Wp  is  defined  to  be  the  reflexive,  transitive  and  F -functional 
closure  of  the  relation  R  on  Wp  defined  by: 

{t,  s)  ^  R  4^  tRs  is  an  entry  on  P 


Rr=  u 

m^N 


for  all  t,s  ^  Wp.  That  is. 


where 


flj 

Rt 

■^m+1 


{(^)0  I  ^  ^  ^p})  identity  relation  on  Wp 
/?={(<,5)e  WpXM^;,|<R5  is  an  entry  on  P} 

R+  U  {(i,5)  I  (3r  6  Wp)  {t,r)  €  /?+  and  (r,s)  €  /?+} 

U{(F(0,F(.))  I 


Proposition  4.2.3  Let  r  be  an  S4C  tableaux  and  let  P  be  a  path  through  r.  Then 
the  term  frame  JCp  =  {Wp,  Rp,  Fp)  is  a  continuous  Kripke  frame. 

Proof.  The  i2p-monotonicity  condition: 

{t,s)eRp  =>  {Fp(t),Fp{s))€  Rp 

for  all  t,s  G  Wp,  follows  trivially  from  the  definition  of  Rp  and  Fp.  ■ 

The  term  frame  fCp  =  {Wp,  Rp,  Fp)  represents  all  the  frame  information  expressed 
in  entries  on  the  path  P.  The  signed  forcing  assertions  occurring  on  P  potentially  define 
a  valuation  T^p  for  /Cp  satisfying: 

T[t\\-  cp]  is  an  entry  on  P  t  ip 

F[t  \\-  cp]  is  an  entry  on  P  =»  t  w 

Vp  • 

Of  course,  if  P  is  a  contradictory  path,  then  there  can  be  no  valuation  rjp  satisfying 
these  conditions. 

Definition  4.2.4  Let  r  be  an  S4F  (S4:C)  tableaux  and  suppose  there  is  a  non^- 
contradictory  path  P  through  r.  Let  tCp  =  Fp)  be  the  term  frame  for  P, 

The  path  valuation  rjp  :  Wp  F(AF)  for  )Cp  is  defined  by: 

periM  «  r[iihp]  is  an  entry  on  P 
for  all  t  eWp  and  p  6  AP. 


For  non-contradictory  paths  P,  the  term  model  {ICp,r]p)  is  basically  a  two-sorted 
Herbrand  structure.  Since  we  are  working  in  an  extension  of  classical  propositional 
logic,  the  first  sort  is  just  the  Boolean  values  B  =  {0, 1},  the  values  of  Coa  formulas 
in  worlds.  The  second  sort  is  the  real  novelty:  we  have  objects  denoted  by  world 
terms  F  (w,)  in  Wp.  The  structure  ICp  comes  equipped  with  a  distinguished  binary 
predicate  Rp  and  a  distinguished  unary  function  Fp,  both  defined  on  the  set  Wp. 


Accordingly,  signed  forcing  assertions  t  IH  y?  ]  can  be  thought  of  as  sentences  in  a 
two-sorted  (first-order)  language. 

In  making  use  of  the  term  frame,  one  of  the  central  notions  is  that  of  a  Kripke 
model  agreeing  with  a  path  P,  which  basically  means  that  the  model  is  a  quotient  of 
the  term  model 

Definition  4.2.5  Let  r  be  an  S4F  (S4Cj  tableaux,  let  P  be  a  path  through  r  and  let 
ICp  =  (Wp,  Rp,  Fp)  be  the  term  frame  for  P.  Let  fC  =  {W,  R,  F)  be  a  frame  for  Coa  o-nd 
let  T]  be  a  valuation  for  K,. 

We  say  the  Kripke  model  agrees  with  P  iff  there  exists  a  surjective  map 

h  :  Wp  — f  W  such  that 

(i)  K,  is  a  quotient  under  h  of  ICp,  as  in  Definition  8.3.1,  and 

(ii)  h  preserves  the  valuations  described  on  P: 

T[t\\-  ip]  is  an  entry  on  P  h{t)  (p 

F[t\\-  <p]  is  an  entry  on  P  =r'  h{t)  ip 

for  all  ip  €  jCoo  o.f^d  t  G  Wp. 

We  say  {JC,  rj)  agrees  with  P  with  quotient  map  h,  or  witnessed  by  h,  when  we 
need  to  identify  the  map  h. 


In  the  proof  of  completeness,  we  give  a  systematic  procedure  which  ensures  that 
every  entry  that  could  be  on  P,  is  on  P,  if  the  path  is  non-contradictory.  In  this  case, 
we  have  (/Cp,??p)  agreeing  with  P  via  the  identity  map.  In  the  proof  of  the  finite  model 
property,  we  obtain  a  finite  quotient  of  {ICp,i]p)  agreeing  with  P. 

The  remainder  of  this  section  is  devoted  to  identifying  the  key  properties  of  the 
term  frame  ICp  =  {Wp,  Rp,  Fp).  We  have  already  noted  that  Wp  is  always  countably 
infinite.  Note  also  that  all  the  world  terms  generated  from  distinct  world  symbols 
occurring  on  P  are  distinct: 

F''(w.)  7^  F'(wj) 

whenever  i  ^  j  or  k  ^  1.  Since 

Fp(F''(w.))  =  F''+‘(wi) 

the  function  Fp  is  trivially  injective.  World  terms  only  get  to  be  identified  when  we 
take  a  quotient  of  ICp. 


Lemma  4.2.6  Let  V  he  a  path  through  an  S4F  (lS4Cj  tableaux  t  ,  let  t'  be  an 
S4F  (1S4Cj  tableaux  obtained  from  r  by  extending  P  by  applying  one  of  the  tableaux 
construction  rules  in  clause  (ii)  of  Definition  4.1. 4  (Definition  4.1.6),  and  let  P  be 
any  path  through  t'  extending  P. 

(a)  If  the  rule  applied  is  not  the  (FO)  case  of  the  {Develop)  rule,  then  we  have: 

Kp<  =  Kp 

(b)  If  the  rule  (FD)  is  applied  to  an  entry  F[  t  If-  □V’  ]  occurring  on  P,  where 

t  =  F*^(w,)  €  Wp,  and  j  €  N  is  the  least  such  that  Wj  is  yet  to  occur  in  any 
entry  on  r,  then: 

•  i  <  j; 

•  Wp>  =  WpU{F>^{wj)\keN}; 

•  Rpi  is  the  reflexive  and  transitive  closure  in  Wp'  (reflexive,  transitive  and 
F-functional  closure  in  Wp')  of  Fp  U  {(F^(w,),  Wj)};  and 

•  Fp'  is  the  term  constructor  function  on  Wp'  uniquely  extending  Fp. 

Hence: 

JCp  is  a  proper  subframe  of  ICp' 

Proof.  There  is  only  one  extension  P'  of  P  except  for  an  application  of  the  (T  ->•) 
case  of  the  (Develop)  rule,  when  there  are  two  possibilities  for  P'. 

In  all  cases  of  the  (Develop)  rule  other  than  (FO),  we  have  Wp>  =  Wp  and 
hence  Ff  =  Fp,  since  no  new  world  symbols  are  introduced.  In  these  cases,  no  new 
accessibility  assertions  are  added  to  P  so  Fp-  =  Fp.  Hence  ICp'  =  Kp. 

For  the  accessibility  relation  rules  (R-Reflex)  and  (R-Trans)  (and  the  (F-Cont) 
rule  for  S4C  tableaux),  there  are  also  no  new  world  symbols  introduced,  so  Wp'  = 
Wp  and  Fp-  =  Fp.  In  these  cases,  the  sole  path  P'  extending  P  only  contains  new 
accessibility  assertions,  and  these  new  assertions  are  already  accounted  for  in  Fp  = 
Fp-,  since  Fp  is  the  reflexive  and  transitive  (and  F-functional)  closure  of  the  relation 
on  Wp  =  Wp'  defined  by  the  set  of  all  accessibility  assertions  occurring  on  P.  Hence 
Kip'  =  Kp  in  these  cases  also. 

It  is  then  clear  that  the  only  case  in  which  Kp'  is  a  proper  extension  of  Kp  is  in  the 
(FD)  case.  Suppose  (FD)  is  applied  to  an  entry  F[  tW-Uxj}]  on  P,  where  t  =  F*(w,) 
for  some  i,k  ^  N,  and  j  6  N  is  the  least  such  that  is  yet  to  occur  in  any  entry 
on  r.  Then  we  must  have  i  <  j,  and  the  sole  path  P'  extending  P  contains  a  new 
accessibility  assertion  F^(w,)Rwj,  and  a  new  signed  forcing  assertion  F[  Wj  Ih  xj)  ]. 


By  the  definition  of  the  term  frame  of  a  path,  the  extension  /Cp'  clearly  satisfies  (b). 


So  accessibility  assertions  added  to  a  path  in  an  S4F  or  S4C  tableaux  by  (FD) 
are  always  of  the  form: 

F*^(w,)Rwj  where  i<j 

The  pattern  is  always  from  an  arbitrary  (complex  or  simple)  world  term  to  a  later 
simple  world  term.  For  S4F,  taking  the  reflexive  and  transitive  closure  does  not 
change  this  fundamental  pattern,  while  for  S4C,  taking  the  F-functional  closure 
opens  up  more  possibilities  but  the  pattern  is  still  quite  constrained. 


Proposition  4.2.7  Let  r  be  an  S4F  tableaux,  let  P  be  a  path  through  r,  and  let 
)Cp  =  (Wp,  Rp,  Fp)  be  the  term  frame  for  P. 

Then  for  each  t  =  F*^(w,)  €  Wp,  every  Rp  chain  from  t  is  of  the  form: 

(F‘(wi)>  .  (Wi,  \j€J} 

for  some  (h  ;;;<  J  :<  N,  where 

i  <  io  <  ij  <  ij+i 

for  all  j  <  sup(  J) . 

So  the  term  frame  ICp  has  the  following  properties:  Wp  is  countably  infinite,  Rp  is 
a  partial  order,  and  Fp  is  injective. 

Hence  the  induced  D-topological  structure  %p  =  (\Vp,Tp,  Fp)  is  countable  and  To, 
with  an  injective  function. 

Moreover,  the  basic  open  set  for  t  —  F*(w,)  6  Wp  in  the  cone  topology  Tp  =  Tr, 
is  of  the  form 

Bt  =  {F*'(w,)}  U  {w,„  I  n  e  A'’} 

for  some  (possibly  empty)  subset  iV  C  N,  where  i  <  in  <  in'  for  all  n,n'  E  N  with 
n  <  n*. 

Proof.  Fix  t  =  F*^(wj)  €  Wp.  It  is  clear  from  the  construction  of  S4F  tableaux  that 
for  all  s  €  W(F),  if  tUs  is  an  entry  on  P,  then  either  s  =  t,  or  else  s  =  W/  G  W 
for  some  I  >  i  and  there  exists  m  >  0  and  world  symbols  w,;,,  w,, , ...,  w,^  G  W  such 
that 

•  f  <  io  <  ii  <  •••  <  im  =  i; 

•  the  world  symbol  was  introduced  by  (FD)  applied  to  a  signed  forcing  as¬ 
sertion  F[  t  Ih  Oi/jj  ]  on  P,  and  tRw,g  is  an  entry  on  P; 
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•  for  1  <  j  <  m,  the  world  symbol  was  introduced  by  (FD)  applied  to  a 

signed  forcing  assertion  F[  w,v  IH  Bij)-  ]  on  P,  and  is  an  entry  on  P. 

Recall  from  Definition  4.2.1  that 


Fp  =  U  ^ 

n€N 

It  then  follows  by  induction  on  n  that  if  (i,s)  €  Rn  and  s  ^  t,  then  s  =  w/  6  W 
for  some  I  >  i  and  there  exists  m  >  0  and  world  symbols  w,„,  w,-,, w,,^  6  W  such 
that  i<io<  ii  <  ...  <  im  =  1]  (<,w.J  €  Rn]  and  for  1  <  i  <  m,  (w.^, €  F„. 
Hence  every  Rp  chain  from  t  is  of  the  form: 

(F‘(wi)) . (wi,  \jeJ) 

for  some  0  J  N,  where 

t  Iq  <C  tj  ^  tj^\ 

for  all  j  <  sup(  J). 

Now  suppose  (t,s)  G  R?  with  s^t.  Then  s  =  wj  for  some  j  >  i,  so  (s,t)  = 
(wj,F^(w,))  ^  Rp.  Hence  Fp  is  a  partial  order,  as  required.  The  remaining  properties 
of  JCp  have  already  been  noted. 

Finally,  observe  that  in  the  cone  topology  7p,  the  basic  open  set  Bt  is  the  union 
of  all  Rp  chains  from  t.  ■ 

When  P  is  a  path  through  an  S4C  tableaux,  the  Rp  chains  are  more  complicated 
but  still  admit  an  explicit  description. 


Proposition  4.2.8  Let  t  be  an  S4C  tableaux,  let  P  be  a  path  through  r,  and  let 
Kp  =  {Wp,  Rp,  Fp)  be  the  term  frame  for  P. 

Then  for  each  t  =  F*^(wi)  €  Wp,  every  Rp  chain  from  t  is  of  the  form: 

for  some  ^  J  where 

i  <  io  <  ij  <  ij+i  and  kj+i  <  kj  <  ko  <  k 


for  all  j  <  sup(J). 

So  the  term  frame  Kp  has  the  following  properties:  Wp  is  countably  infinite,  Rp  is 
a  partial  order,  and  Fp  is  continuous  and  injective. 

Hence  the  induced  continuous  D-topological  structure  %p  =  (Wp,Tp,  Fp)  is  count¬ 
able  and  To,  with  an  injective  function. 


# 
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Moreover,  the  basic  open  set  for  t  =  F^(w,)  G  Wp  in  the  cone  topology  Tp  =  Tr, 
is  of  the  form 

5*  =  {F'=(w,)}U{F"»(w.J|nGiV} 

for  some  (possibly  empty)  subset  N  C  N,  where  i  <  in  <  in'  o,nd  kn  <  k  for  all 
n,n'  E  N  with  n  <  n' . 

Proof.  Fix  t  —  F^(w,)  G  Wp.  It  is  clear  from  the  definition  of  S4C  tableaux  that  for 
all  s  G  W(F),  if  tKs  is  an  entry  on  P,  then  either  s  =  t,  or  else  there  exists  m  >  0, 
world  symbols  w.-^, G  W  and  world  terms  to,ti,...,tm  €  W(F)  such  that 

•  for  0  <  j  <  m,  tj  =  F*^^(Wy)  for  some  kj  >  0; 

•  for  0  <  j  <  m,  tjl^tj.^.l  is  an  entry  on  P; 

•  Im  ~ 

^  Z  ^  Zq  ^  Zj  ^  ...  ZjYi^ 

•  the  world  symbol  w,;,  was  introduced  by  (FD)  applied  to  a  signed  forcing  as¬ 
sertion  F[  F^(w,)  Ih  □t/'o  ]  on  P)  for  some  I  >  0,  and  F^(w,)Rw,(,  is  an  entry  on 

P; 

•  for  0  <  /i  <  fco,  the  entry  F'+^(w,)  RF^(w,o)  is  on  P  in  virtue  of  the  (F-Cont) 
rule  applied  to  the  entry  F^'*’*”^(w,)  RF^“^(w,o)  on  P; 

•  k  =  I  +  ko,  and  so  ko  <  k] 

•  for  0  <  j  <  m,  the  world  symbol  was  introduced  by  (FD)  applied  to 

a  signed  forcing  assertion  F[  Fb(w,v)  Ih  Dtp-  ]  on  P,  for  some  Ij  >  0,  and 
Fb(w,v)  Rw,^^,  is  an  entry  on  P; 

•  for  0  <  j  <  m  and  for  0  <  <  kj+i,  the  entry  Fb+'‘(w,-,.)  RF^(w,v^,)  is  on  P 

in  virtue  of  the  (F-Cont)  rule  applied  to  the  entry  Fb‘*‘'‘“*(w,v)  RF'‘~^(w,-^^j) 
on  P;  and 

•  for  0  <  j  <  m,  kj  =  Ij  -h  fcj+i,  and  so  fcj+i  <  kj. 

Recall  from  Definition  4.2.2  that 


ngN 

It  then  follows  by  induction  on  n  that  if  (t,  s)  G  Rn  and  s  ^  t,  then  there  exists  m  >  0, 
world  symbols  w.^,  G  W,  and  world  terms  to,ti,...,tm  G  W(F)  such  that 


^  <  *0  <  <  ...  <  im  =  1-,  for  0  <  j  <  m,  tj  =  F*=j(w,v)  and  G  /?+,  if  j  <  m; 

for  0  <  /i  <  fco,  (F'+'*(w,),F'(w,J)  €  /?+  where  k  =  I ko]  and  for  1  <  j  <  m  and 
0<h<  fcj+i,  (F'>+'‘(w.J,F'‘(w,v^J)  G  Rt  with  kj  =  Ij  +  kj+i. 

Hence  every  Rp  chain  from  t  is  of  the  form: 

(F'=(w.))*(F*^(w,v)  \  j  eJ) 

for  some  0  ^  N,  where: 

i  <  io  <  ij  <  ijj.1  and  kj+i  <  kj  <  ko  <  k 

for  all  j  <  sup(  J). 

Now  suppose  (t,  s)  G  Rp  with  sj^t.  Then  s  =  F'(wy)  for  some  j  >  i  and  I  <k,  so 
(s,  <)  =  (F'(w_,),F*^(w,))  ^  Rp.  Hence  Rp  is  a  partial  order,  and  so  the  cone  topology 
Tp  =  Tftr  is  To.  As  before,  the  description  of  the  basic  open  set  Bt  follows  from  the 
fact  that  Bt  is  the  union  of  all  Rp  chains  from  t.  M 

Note  that  the  continuous  term  frame  will  also  satisfy  the  converse  of  the  Rp- 
monotonicity  condition 


(F(t),  F(s))  G  =>  {t,s)  ^  Rp 

for  all  €  Wp,  since  if  a  complex  term  F(s)  occurs  on  the  right  hand  side  of  an 
accessibility  assertion  F(t)  RF(s)  on  P,  it  got  put  there  by  either  the  (F-Cont)  rule 
or  else  the  (R-Reflex)  or  (R- Trans)  rules.  However,  as  noted  in  our  discussion  at 
the  end  of  Section  3.1,  Fp  will  fail  to  be  an  open  map  w.r.t.  the  topology  T/jp  because 
the  primitive  world  symbols  w,-  in  Wp  fall  outside  the  range  of  Fp. 

As  a  set,  VFp  =  /  X  N  for  some  initial  segment  /  :<  N,  so  one  can  think  of  the 
term  frame  ICp  as  a  two-dimensional  discrete  array  of  points,  vertically  infinite  with 
the  points  in  a  column  with  base  w,-  labelled  by  all  the  iterates  F^(w,)  for  k  e  N, 
but  possibly  finite  horizontally.  Accessibility  relations  are  edges  always  going  from 
left  to  right,  from  an  F*’(w,)  to  a  Wj  for  j  >  i,  and  when  F  denotes  a  continuous 
function,  there  are  all  the  “parallel”  edges  from  F*'+'(w,)  to  a  F'(wj)  as  well.  In 
practice,  there  is  a  bound  on  the  number  of  iterates  k  one  needs  to  take.  If  the 
[a]-rank  of  a  formula  cp  is  the  number  of  subformulas  of  (p  of  the  form  [a]^',  then  the 
iterates  F  (w,)  for  0  <  A:  <  [a]— rank(<y3)  will  be  sufficient.  Taking  all  the  iterates  is  a 
technical  convenience  to  ensure  that  the  term  constructor  function  1 1->  F(t)  is  total. 


4.3  Soundness  of  Tableaux 


The  Soundness  of  S4F  and  S4C  tableaux  is  a  simple  consequence  of  the  following 
theorem  (an  extension  of  [NS97],  Theorem  4.2). 

Theorem  4.3.1  Let  r  be  an  S4F  fS4Cj  tableaux,  let  tC  —  {W,R,F)  he  a  (continu¬ 
ous)  frame  for  Coa,  l^t  r)  be  a  valuation  for  JC,  and  let  (p  €  Coa- 

If  for  some  world  symbol  w  G  W  and  some  element  w  G  W,  either 

(a)  F’[  w  It-  y?  ]  is  the  root  entry  of  t,  and  w  p,  or  else 

(b)  T[  w  Ih  ^  ]  is  the  root  entry  of  t,  and  w  Ih^  p, 

then  there  is  a  -path  P  through  r  such  that  {)C,rj)  agrees  with  P,  where  th6  quotient 
map  h  :  Wp  — >■  W  satisfies  /i(w)  =  w. 

To  prove  Theorem  4.3.1,  we  need  a  further  lemma  on  the  inductive  construction 
of  tableaux. 

Lemma  4.3.2  Let  r  be  an  S4F  (S4C)  tableaux,  let  P  be  a  path  through  t,  let  fCp  = 
{Wp,  Rp,  Fp)  be  the  term  frame  of  P,  let  K  =  {W,R,F)  be  a  (continuous)  frame  for 
Coa  o,nd  let  r]  be  a  valuation  for  K.. 

If{lC,r))  agrees  with  P,  with  quotient  map  h  :  Wp  W,  and  t'  is  an  S4F  (S4C^ 
tableaux  obtained  from  r  by  extending  P  using  one  of  the  tableaux  construction  rules 
in  clause  (ii)  of  Definition  4-L4  (Definition  4-1-6), 

then  there  is  a  path  P  through  t'  extending  P  and  a  function  h'  :  Wp/  -¥  W 
extending  h  such  that  h'  witnesses  that  {fC,r])  agrees  with  P . 

Proof.  By  Lemma  4.2.6,  if  P'  is  any  extension  of  P  in  virtue  of  clause  (ii)  of  Definition 
4.1.4  (Definition  4.1.6),  then  Wpi  —  Wp  and  ICp  =  JCp'  except  if  P  is  extended  to  P^ 
using  the  (FD)  case  of  the  (Develop)  rule.  So  for  the  tableaux  construction  rules 
other  than  (FD),  the  quotient  map  h  requires  no  extension  and  we  only  need  show 
that  h  —  h'  preserves  the  valuations  described  on  a  path  P'  through  r'  extending  P. 

The  propositional  cases  of  (Develop)  rule  are  straightforward:  from  the  hypoth¬ 
esis  of  the  lemma  and  the  corresponding  clause  in  the  definition  of  forcing  (Definition 
2.3.2),  it  is  clear  that  one  of  the  (at  most  two)  extensions  P'  of  P  will  be  such  that  h 
preserves  the  valuations  described  on  P'. 

Applications  of  the  (R-Reflex)  or  (R-Trans)  rules,  or  the  (F-Cont)  rule  for 
S4C  tableaux  introduce  no  new  signed  forcing  assertions,  so  it  is  immediate  from  the 
hypothesis  of  the  lemma  that  h  preserves  the  valuations  described  on  P'. 
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When  the  (TO)  case  of  (Develop)  rule  is  applied,  entries  of  the  form  T[  t\\-Uip] 
and  fRs  occur  on  P ,  and  the  sole  path  extending  P  contains  a  single  new  signed 
forcing  assertion  T[  s  Ih  (^  ].  By  the  hypothesis  and  the  definition  of  agreement  for  P, 
we  have  h{t)  Ih^  Oip  and  (/r(t), /i(s))  G  R,  hence  by  the  □  clause  in  the  definition  of 
forcing,  h{s)  Ih^  (p,  so  h  preserves  the  valuations  described  on  P'. 

When  the  (r[a])  (respectively,  (F[a]))  case  of  (Develop)  rule  is  applied,  an  entry 
of  the  form  T{  t  Ih  [a\(p  ]  (F[  t  It-  [a]ip  ])  occurs  on  P,  and  the  sole  path  P'  extending 
P  contains  a  single  new  signed  forcing  assertion  T[  F(f)  Ih  ip  ]  (F[  F{t)  Ih  (p  ]).  By 
the  hypothesis  and  the  definition  of  agreement  for  P,  we  have  h{t)  Ih^  [a](p  {h{t) 

[a](^).  By  the  [a]  clause  in  the  definition  of  forcing,  and  the  commutativity  equation 
F{h{t))  =  fi(F(t)), 

iff  iff  /.(F(i))IFj»> 

SO  h  preserves  the  valuations  described  on  P'. 

It  remains  to  deal  with  the  (FD)  case  of  the  (Develop)  rule.  In  this  case,  for 
some  world  term  t  G  Wp,  there  is  an  entry  F[  t  Ih  Hp  ]  occurring  on  P,  and  the  sole 
path  P  extending  P  contains  a  new  accessibility  assertion  of  the  form  fRwj,  with  Wj 
a  new  world  symbol,  as  well  as  a  new  signed  forcing  assertion  F[  Wj  Ih  95  ].  Hence 

Wp>  =  Wp  U  {F^(w,)  I  A:  G  N} 

and  Rp>  is  the  reflexive  and  transitive  closure  (reflexive,  transitive  and  F-functional 
closure)  of  Rp  U  {(f,  Wj)}  in  Wp*.  Now  by  the  hypothesis  and  the  definition  of  agree¬ 
ment  for  P,  we  have  h{t)  Dp.  Hence  by  the  □  clause  in  the  definition  of  forcing, 
there  is  a  u;  G  W  such  that  {h{t),w)  G  R  and  w  p.  Define  h' :  Wp-  ->  W  by 

h'(s\  =  /  if  s  G  Wp 

\  F'^{w)  if  s  =  F*'(wj)  and  k  eN 

Then  h'  is  surjective,  and  it  follows  that  (s,r)  G  Fp-  implies  {h'{s),h'{r))  G  R,  and 

F(h{s))  =  /i'(F(s)),  for  all  5,r  G  Wp-.  Since  w  =  /i'(Wj),  we  have  h'('Wj)  Ih^  p. 

Hence  (AC,  1]')  agrees  with  P^  with  witness  h',  as  required.  I 

We  now  return  to  the  proof  of  Theorem  4.3.1. 

Proof.  Let  r  be  an  S4F  (S4C)  tableaux,  let  AC  =  (W,  R,  F)  be  a  frame  for  £□„,  let 
T]  be  a  valuation  for  AC,  and  let  p  G  JCoa-  Assume  that  for  some  world  symbol  w  G 
and  some  element  ty  G  W,  either 

(a)  F[  w  Ih  ]  is  the  root  entry  of  r,  and  w  p^  or  else 

(b)  T[  w  Ih  9?  ]  is  the  root  entry  of  r,  and  w  ll-n  V’, 


# 


# 
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We  proceed  by  induction  on  the  construction  of  the  tableaux  r. 

If  T  is  an  atomic  S4F  (S4C)  tableaux,  as  in  clause  (i)  of  Definition  4.1.4,  then  let 
Pr  to  be  the  path  through  r  consisting  of  the  root  node  only.  Then 

Wp,  =  {F\w)  \keN} 

Rf^  is  the  empty  binary  relation  on  Wp^,  and  Fp,(F*(w))  =  F*’‘''*(w)  for  all  fc  6  N. 
Define  hr  :  — >•  W  by 

/i,.(F*(w))  =  F'^{w) 

for  all  k  £  N.  Then  by  the  definition  of  hr  and  the  hypothesis  of  the  theorem,  hr 
witnesses  that  agrees  with  and  /ir(w)  =  w.  Now  apply  the  same  reasoning 

as  in  the  proof  of  Lemma  4.3.2  to  obtain  a  path  P  through  r  extending  P^  and  a 
function  h  :  Wp  W  extending  hr  such  that  h  witnesses  that  (/C,  r/)  agrees  with  P 
and  /i(w)  =  w. 

Next,  suppose  r  is  an  S4F  (S4C)  tableaux  and  (/C,  ??)  agrees  with  a  path  P  through 
r,  with  quotient  map  h  :  Wp  ->  W  such  that  h{w)  =  w,  and  r'  is  an  S4F  (S4C) 
tableaux  obtained  from  r  by  extending  P  using  one  of  the  tableaux  construction  rules 
in  clause  (ii)  of  Definition  4.1.4  (Definition  4.1.6).  Then  by  Lemma  4.3.2,  there  is  a 
path  P'  through  t'  extending  P  and  a  function  h'  :  Wpi  W  extending  h  such  that 
h'  witnesses  that  {)C,  t])  agrees  with  P'  and  h'{w)  =  w. 

Finally,  suppose  that  7  N  and  r  =  lj„g/  r„  is  an  S4F  (S4C)  tableaux  as 
in  clause  (iii)  of  Definition  4.1.4  (Definition  4.1.6),  where  tq  is  an  atomic  tableaux 
and  for  each  n  <  sup(/),  r„+i  is  constructed  from  t„  by  an  application  of  clause 
(ii)  of  that  definition.  Apply  the  argument  as  in  the  atomic  case  above  to  obtain 
a  path  Po  through  tq  and  a  function  ho  :  Wp^  W  such  that  ho  witnesses  that 
(/C,  77)  agrees  with  Pq  and  hoiyf)  =  w.  Then  for  each  n  E  I,  apply  Lemma  4.3.2  to 
the  path  P„  through  r„  and  function  :  Wp„  — >■  W  witnessing  that  (/C,?;)  agrees 
with  P„  with  /i„(w)  =  w,  to  obtain  a  path  P^+i  through  r„+i  extending  P„  and  a 
function  /i„+i  :  ->  W  extending  /i„,  witnessing  that  (/C,  r/)  agrees  with  P„+i 

and  satisfying  /i„+i(w)  =  w.  Then  set  P  =  Une/^”  ^  ~  Une/^»»  obtain  a 
path  P  through  r  such  that  [JC,  rj)  agrees  with  P,  with  the  quotient  map  h  :  Wp  W 
satisfying  fi(w)  =  tn.  ■  , 

Theorem  4.3.3  Kripke  Soundness  of  S4F  and  S4C  tableaux 

For  all  formulas  (f  of  Coat 

if  S4F  hr  V’  (S4C  hr  if)  then  for  all  Kripke  frames  K,  for  Caay  K,  Ih  (p. 

Proof.  Suppose  r  is  an  S4F  (S4C)  tableaux  proof  of  17?,  with  root  F[  Wq  Ih  ip  ], 
and  suppose  for  a  contradiction  that  ip  is  not  Kripke  valid.  Then  there  is  a  frame 
1C  =  (W,  R,  F)  for  Coa,  a  valuation  77  for  JC  and  a  world  wq  C  W  such  that  wq  Jh^  (p. 


By  Theorem  4.3.1,  there  is  a  path  P  through  r  such  that  agrees  with  P,  with 

the  quotient  map  h  :  Wp  W  satisfying  /i(wo)  =  Wq.  Since  r  is  a  tableaux  proof, 
P  is  contradictory,  so  there  is  a  world  term  t  6  Wp  and  a  subformula  ip  o{  (p  such 
that  both  T[t  \\r  Ip  ]  and  F[t  \\-  ip]  occur  as  entries  on  P.  Since  {JC,  t])  agrees  with 
P  with  quotient  map  h,  we  have  as  a  contradiction  both  v  Ib^  tp  and  u  i/>  where 

y  =  h{t)  ew.m  "  "  ’ 


4.4  Completeness  of  Tableaux 

The  construction  of  a  tableaux  is  a  non-deterministic  procedure.  To  prove  complete¬ 
ness,  we  give  a  systematic  procedure  for  developing  a  tableaux,  so  that  every  entry 
that  could  occur  on  a  non-contradictory  path,  does.  We  define  the  complete  system¬ 
atic  tableaux  starting  with  a  given  signed  forcing  assertion  as  its  root  entry.  We  then 
prove  that  for  any  non-contradictory  path  P  through  this  tableaux,  (ICp.r^p)  agrees 
with  P  under  the  identity  map.  Thus  if  this  systematic  development  of  a  tableaux  r 
with  root  entry  F[  Wq  lb  ]  fails  to  produce  a  tableaux  proof  of  ip,  then  we  obtain  a 
Kripke  counter-model  for  p,  and  so  demonstrate  that  p  is  not  Kripke  valid. 

In  this  section  on  completeness,  we  are  concerned  with  model-existence.,  via  the 
existence  of  a  non-contradictory  path  through  the  complete  systematic  tableaux  with 
root  entry  F[  Wq  lb  p  ],  for  each  formula  p  of  Coa  that  is  not  S4F  or  S4C  tableaux 
provable.  In  general,  such  non-contradictory  paths  are  infinite,  and  as  we  have  defined 
it,  the  term  frame  of  any  path  is  infinite  because  we  take  all  iterates  F*(w,)  of  each 
world  symbol  w,-  that  is  the  subject  of  a  signed  forcing  assertion  on  the  path.  In 
Section  4.5  below,  we  establish  the  finite  model  property  by  specifying  a  suitable 
quotient  of  the  term  frame. 

Recall  from  Definition  4.1.4  that  when  a  signed  forcing  assertion  E  is  being  de¬ 
veloped  on  a  path  P,  we  formally  require  that  the  entry  E  be  repeated  when  the 
corresponding  atomic  tableaux  with  root  entry  E  is  appended  to  P.  Most  signed  forc¬ 
ing  assertions  occur  at  most  twice  on  a  path:  once  (called  occurrence  0)  when  the 
entry  first  appears,  either  as  the  root  entry  or  by  one  of  the  cases  of  the  (Develop) 
rule,  and  again  (occurrence  1)  if  it  gets  to  be  developed  by  any  case  other  than  the 
(TD)  case  of  the  (Develop)  rule.  In  the  (TO)  case,  an  entry  E  =  T[t\\-  Uxp]  may 
be  developed  and  hence  repeated  Infinitely  often,  at  least  once  for  each  world  term 
Sj  €  W(F).  For  the  purposes  of  defining  complete  systematic  tableaux,  we  make 
a  cosmetic  modification  to  the  (TO)  case  in  Definition  4.1.4  so  that  each  time  an 
entry  F  =  Tf  ^b  nV-  ]  is  developed,  a  candidate  world  term  sj  e  W(F)  must  be 
“declared”.  The  revised  version  of  the  rule  now  reads: 


75 


(TQ)(5j)  Ccise  of  (Develop):  A  signed  forcing  assertion  T[  t  Ih  ] 
occurs  on  a  (non-contradictory)  path  P  in  r,  and  t'  is  constructed  from  t 
by  appending  to  the  end  of  the  path  P  either: 

(a)  the  atomic  tableaux 

r[^  Ih  n-tjj  ] 

I 

if  occurs  on  P  and  T[  Sj  Ih  xl)  ]  does  not  occur  on  P,  or  else: 

(b)  the  atomic  tableaux  consisting  of  the  sole  entry 

T[t\\-  □V>  ] 

otherwise. 

So  in  an  application  of  (Tn)(sj),  the  entry  T[  t  Ih  Dtp  ]  will  be  simply  repeated, 
without  further  extension  of  the  path  P,  if  either  tRsy  does  not  occur  on  P  or  if  the 
Sj-instance  T[  sj  Ih  xp  ]  already  occurs  on  P.  The  transformations  between  tableaux 
constructed  using  the  original  version  of  the  (TO)  case  of  the  (Develop)  rule,  and 
tableaux  constructed  using  the  new  (Tn)(sj)  cases  of  (Develop),  are  straightforward 
(albeit  tedious). 

We  also  use  the  pairing  function  p  :  N  x  N  — >  N  to  keep  track  of  attempts  to 
develop  TO  entries.  When  we  are  working  on  occurrence  m  of  =  T[  t  Ih  Oxp  ], 
where  m  =  we  make  the  attempt  at  developing  E  using  (Tn)(sj).  If 

either  tRsj  does  not  yet  occur  on  the  path,  or  if  the  Sj-instance  T[  Sj  Ih  xp  ]  already 
occurs  on  the  path,  then  the  development  of  this  occurrence  m  of  E  stops  with  the 
simple  repetition  of  E',  if  fRsj  does  occur  on  the  path  but  T[  Sj  Ih  xp  ]  does  not, 
the  path  is  extended  with  a  repetition  of  E  plus  the  new  entry  T[  Sj  Ih  ^  ].  The 
accessibility  assertion  tRsj  may  appear  later,  on  an  extension  of  the  current  path 
constructed  using  the  rules  (R-Reflex),  (R-Trans)  or  (F-Cont)  or  the  (FD)  case  of 
the  (Develop)  rule  if  sj  =  w,-  is  a  world  symbol  that  hasn’t  yet  appeared,  so  we  will 
need  to  make  a  further  “(/  -h  1)®*”  attempt  to  develop  E  using  (rn)(s_,). 

Definition  4.4.1  Let  r  =  Une/^”  S4F  (S4Cj  tableaxix  and  P  a  path  through 
T.  Let  E  be  a  signed  forcing  assertion  on  r  and  let  e  be  occurrence  m  of  E  on  P,  i.e. 
the  “m*'^  ”  node  on  P  labelled  xvith  E,  xvhere  m  =  p{j,l),  for  j,l,m  €  N. 

We  say  e  is  reduced  on  P  iff  one  of  the  folloxving  cases  hold: 

(i)  E  is  not  of  the  form  T[  t  Ih  Oxp  ],  and  for  some  n,  r„+i  is  obtained  from 
by  an  application  of  the  appropriate  case  of  the  (Develop)  rule  to  the  entry  E, 
the  tableaux  Tn  and  the  path  P„  through  xvhere  Pn  =P\  t„. 
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(ii)  E  is  of  the  form  T[  t  It-  ],  there  is  an  occurrence  m'  =  p(j,  /  +1)  of  E  on  P, 
and  either  fRsj  is  not  an  entry  on  P  orT[  Sj  If-  0  ]  is  an  entry  on  P. 

We  say  r  is  finished  iff  for  every  non-contradictory  path  P  through  t,  every  oc¬ 
currence  of  every  signed  forcing  assertion  on  P  is  reduced  on  P. 

Lemma  4.4.2  If 

•  T  is  an  S4F  ("840 j  tableaux; 

•  Pa  non- contradictory  path  in  r; 

•  T  is  an  S4F  (1S4CJ  tableaux  obtained  from  r  by  extending  P  to 
non- contradictory  path  P ; 

•  e  is  occurrence  m  =  p[j,  /)  of  a  signed  forcing  assertion  E  on  P;  and 

•  e  is  reduced  on  P; 

then  the  only  way  e  could  fail  to  be  reduced  on  P  is  if 
(0)  for  some  t  €  W(F)  and  0  6  £□„,  E  is  T[  t  If-  00  ],  and 

(1)  tRsj  is  an  entry  on  P  but  not  on  P,  and 

(2)  T[  Si  Ih  ^  ]  is  not  an  entry  on  P  (and  hence  not  an  entry  on  P). 

Proof.  Immediate  from  Definition  4.4.1.  Note  that  since  e  is  reduced  on  P,  by 
hypothesis,  then  if  E  is  T[  t  Ih  00  ],  there  is  an  occurrence  m’  =  p(j,l  of  E 
on  P  and  hence  on  any  extension  P^  In  the  process  of  extending  P  to  P^,  the  new 
accessibility  assertion  must  have  been  appended  using  either  the  (R-Reflex), 
(R-Trans)  or  (F-Cont)  rules,  or  using  the  (FD)  case  of  the  (Develop)  rule  if  Sj  =  w- 
for  some  world  symbol  w,-  that  had  not  yet  appeared  on  the  tableaux.  ■ 

As  a  binary  tree,  a  tableaux  t  has  a  natural  left-right  ordering  on  the  nodes 
(occurrences  of  entries)  at  each  of  its  levels.  As  in  [NS97],  Definition  II.6.8,  define  the 
level-lexicographic  ordering  <ll  on  nodes  e,  e'  of  a  tableaux  r  as  follows: 

^  ^LL  6  iff  the  level  of  e  is  less  that  e\  or  else  e  and  e*  are  on 
the  same  level,  and  e  is  to  the  left  of  e' 

It  is  immediate  that  is  a  well-ordering  of  the  nodes  e  of  a  tableaux  t:  there  are 
only  finitely  many  nodes  of  r  that  are  <£,£,  any  given  node  e. 
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Definition  4.4.3  For  each  formula  ip  ofCoa,  we  define  the  complete  systematic  S4F 
(S4C)  tableaux,  S4F-CST  (S4C-CST)  for  ip  to  be: 

n€/ 

for  some  I  di  N ,  where  the  sequence  of  finite  S4F  (S4C)  tableaux  for  (p  is 

defined  inductively  as  follows. 

To  is  the  atomic  tableaux  with  root  entry  F[  Wo  lb  9?  ]  (or  T[  Wq  Ih  93  ] 
This  atomic  tableaux  is  uniquely  specified  by  requiring  that  in  case  (FD),  where  E 
is  F[  Wo  lb  □V'  ],  we  use  the  entries  WqRwi  and  F[  Wi  lb  ^  ]  (or  in  the  (TD)  case, 
the  tableaux  consists  of  the  root  entry  only). 

At  stage  n,  we  have  by  induction  a  finite  S4F  fS4Cj  tableaux  r„. 

If  r„  is  finished,  then  we  terminate  the  construction.  Otherwise,  we  extend  r„  to 
a  finite  S4F  ^S4C^  tableaux  Tn^.!  as  follows. 

Case  1:  n  =  4A;  +  1,  /or  fc  6  N. 

Then  is  the  tableaux  obtained  from  t„  by  appending,  to  the  end  of  each  non¬ 
contradictory  path  P  through  the  entry  sjRsj  for  the  least  j  <k  such  that: 

•  =  F*'(w,)  and  w,-  is  the  subject  of  some  signed  forcing  assertion  on  P,  and 

•  does  not  yet  occur  on  P. 


Case  2:  n  =  4k  +  2,  for  k  e  N. 

Then  r„+i  is  the  tableaux  obtained  from  Tn  by  appending,  to  the  end  of  each  non¬ 
contradictory  path  P  through  t^,  the  entry  s,R,Sj  for  the  least  i  d  k  and  the  least 
j  <  k  such  that: 

•  for  some  r  E  W(F),  both  s.Rr  and  rRsj  are  entries  on  P,  and 

•  SjRsj  does  not  yet  occur  on  P. 


Case  3:  n  =  4k  -{-Z,  for  k  E  N. 

For  an  S4F-C'57’,  do  nothing. 

For  an  S4C-CST,  construct  t„+i  from  r„  by  appending,  to  the  end  of  each  non¬ 
contradictory  path  P  through  r„,  an  entry  F(s,)RF(sj)  for  the  least  i  k  and  the 
least  j  <  k  such  that: 


•  s^Rsj  is  an  entry  on  P,  and 


f(50rf(5  j)  does  not  yet  occur  on  P. 


Case  4:  n  =  4k,  for  k  eN. 

Let  e  be  the  <£,l  least  node  of  r„  such  that  e  is  an  occurrence  of  a  signed  forcing 
assertion  E  that  is  not  reduced  on  some  non-contradictory  path  P  through  t„  . 

Sub-case  4(i).  E  is  not  of  the  form  T[  t  Ih  Dx/,  ].  Then  r„+i  is  the  tableaux 
obtained  from  r,,  by  appending  to  the  end  of  every  non- contradictory  path  P  through  r„ 
on  which  e  is  not  reduced,  the  atomic  tableaux  with  root  entry  E,  using  the  appropriate 
case  of  the  (Develop)  rule.  This  atomic  tableaux  is  uniquely  specified  by  requiring 
that  in  case  (FD),  where  E  is  F[  t  Ih  Dtp  we  use  the  entries  tRw,-  and  F[  w,-  Ih  xp  ], 
where  i  is  the  least  j  €N  such  that  Wj  does  not  occur  on  Tn- 

Sub-case  4(*'^)‘  F  is  of  the  form  T[  t  Ih  Oxp  ],  e  is  occurrence  m  of  E  on  P, 
and  m  =  p{j,l).  Then  t„+i  is  the  tableaux  obtained  from  Tn  by  appending  to  the  end 
of  every  non- contradictory  path  P  through  Tn  on  which  e  is  not  reduced,  the  atomic 
tableaux  with  root  entry  E,  as  determined  by  the  (rn)(5j)  case  of  the  (Develop)  rule. 


For  example,  the  tableaux  in  Figure  4.3  for  the  instance  [a] Dp  Dfajp  of  the 
continuity  axiom  depicts  (without  repetition  of  developed  entries)  an  initial  subtree 
of  the  S4F-CST  for  that  formula.  The  sole  path  P  continues  with  reflexive  accessibility 
assertions  F*'(w,  )  RF^(w,)  for  *  =  0, 1,  and  for  all  6  N;  the  transitivity  rule  does  not 
add  any  new  entries;  and  the  TO  entry  T[  F(wo)  Ih  Op  ]  would  be  repeated  infinitely 
often,  without  any  effect  since  no  new  entries  F(wo)Rsj  will  ever  be  added. 


Lemma  4.4.4  Let  t  be  a  CST  and  P  a  path  through  t. 

(i)  If  T  is  an  SAE-CST  and  F*'(w,)  RF'(wj)  is  an  entry  on  P,  then  i  <  j  and 
/  =  0. 

(ii)  If  T  is  an  S4C-CST  and  F''(w,)  RF'(wj)  is  an  entry  on  P,  then  i  <  j,  I  <  k 
and  for  k  —  I  <  r  <  I,  F^~^'*’’'(w,)  RF’’(wj)  is  an  entry  on  P. 

Proof.  Requires  an  analysis  of  how  accessibility  assertions  are  added  to  a  path 
using  the  (R-Reflex),  (R-Trans)  or  (F-Cont)  rules,  or  using  the  (FD)  case  of  the 
(Develop)  rule,  similar  to  that  in  the  proofs  of  Propositions  4.2.7  and  4.2.8.  ■ 


Proposition  4.4.5  For  each  formula  tp  of  Coa,  the  S4F-CST  (S4C-CST)  t'^  is 
finished. 


Proof.  Fix  e  Coai  and  let  r  =■  =  |J„g;  t„,  for  some  I  :<N.  Suppose  there  is  an 

occurrence  e  of  a  signed  forcing  assertion  E  and  a  non-contradictory  path  P  through 
r,  such  that  e  is  not  reduced  on  P.  Suppose  t  is  the  subject  of  E,  e  is  occurrence 
m  =  p{j,  1)  of  E,  and  there  are  q  nodes  of  r  that  are  <ll  e.  Let  n  be  large  enough  so 
that: 

(a)  the  occurrence  e  of  F?  is  on  the  path  P„  =Pf  t„;  and 

(b)  the  entry  tRsj  is  on  P„  if  it  is  on  P  at  all. 

Then  from  the  definition  of  the  CST,  it  is  clear  that  we  must  reduce  e  on  P  by  the 
time  we  form  r„+4,+i,  and  once  e  is  reduced,  it  will  remain  reduced  by  Lemma  4.4.2. 
So  T  is  finished,  as  required.  ■ 


Corollary  4.4.6  Let  r'^  =  Une/’’’”  S4F-C75'7’  (S4C-CST)  for  some  ip  €  Coa, 

let  P  be  a  non-contradictory  path  through  ,  let  t  G  W(F)  and  let  if  be  a  subformula 
of(p. 

If  there  is  an  occurrence  0  on  P  of  the  signed  forcing  assertion  T[  t  Ih  Oxf  ],  then 
there  is  an  occurrence  m  on  P  of  T\t  Ih  □?/)  ],  for  every  m  G  N. 

Proof.  Immediate  from  Theorem  4.4.5.  For  each  j,  /  G  N,  an  attempt  will  be 
made  to  develop  occurrence  m  =  p{j,  1)  of  T[  t  Ih  Dtp  ]  on  P  using  the  (TO)(sj)  Ccise 
of  the  (Develop)  rule,  so  generating  occurrence  m  -h  1  on  P.  ■ 


Theorem  4.4.7  Ifr  =  =  IJne/'’’"  S4F-C'5T  (S4C-CST)  for  p  G  Coa,  P  is 

a  non-contradictory  path  through  ,  )Cp  =  (Wp,  Rp,  Fp)  is  the  term  frame  of  P,  and 
rfp  is  the  path  valuation  for  ICp  (Definition  4.2.4),  then 


(i)  for  all  t,s  ^  Wp, 


tRs  is  an  entry  on  P  ^ 

(ii)  for  all  t  G  Wp  and  all  xp  G  Coa, 

T[t\\-xp]  is  an  entry  on  P 
F[  t  Ih  ^  ]  is  an  entry  on  P 

Hence  the  identity  function  on  Wp  witnesses  that 


(t,  s)  G  Rp 


=h  t  Ih^^  xp 

Vp  ^ 

{Kp,  rfp)  agrees  with  P. 
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Proof.  For  (i),  recall  from  Definition  4.2.1  that  for  S4F  tableaux 

=  U  Rm 

m6N 

while  from  Definition  4.2.2  for  S4C  tableaux 

«p  =  U  ^ 

meN 

where 

Ri  —  Rf  —  {(^5^)  €  Wp  X  Wp  I  fR5  is  an  entry  on  P} 
and  for  S4F  tableaux, 

^+1  =  Rm  U  {(<,5)  I  (3r  6  Wp)  (f,r)  €  Rm  and  (r,s)  €  Rm} 
while  for  S4C  tableaux 

St+I  =  u  {(*,s)  I  (3r  €  IVp)  6  and  (r.i)  €  B+} 
U{(F(().FM)|(t,^)SiJJ} 

Hence  in  either  case,  we  have  trivially, 

tUs  is  an  entry  on  P  (t,  s)  G  Rp 

Dealing  first  with  the  reflexive  accessibility  assertions,  fix  f  G  Wp,  say  t  =  F’"(w/). 
By  definition  of  Wp,  W;  is  the  subject  of  some  signed  forcing  assertion  on  t  on  P;  let 
Rj  w,  If-  ^  ]  be  the  first  signed  forcing  assertion  on  P  having  w,  as  its  subject,  for  any 
V*  €  Coa-  Let  j  =  p(l,m).,  so  t  =  Sj  in  the  fixed  enumeration  of  world  terms.  Let  k 
the  least  number  such  that  A;  >  j  and  5'[  W;  If-  ^  ]  is  an  entry  on  P4jt+i  =Pf  T4fc4.i. 
Then  by  the  definition  of  S4F-CST  (S4C-CST),  the  entry  tRt  will  be  added  to  P  by 
stage  n  =  4fc  -t- 1  of  the  construction,  if  it  is  not  already  there. 

For  the  transitive  and  F-functional  closure,  we  prove  by  induction  on  m  >  1  that 

{t,s)  G  R^  =>  tRs  is  an  entry  on  P 

for  all  t,s  E  Wp.  Since  C  the  induction  can  be  trivially  modified  for  the 
transitive  closure  alone. 

For  the  base  case  of  m  =  1,  the  result  is  immediate.  Assume  the  result  holds  for 
m  >  1,  and  fix  f,s  G  Wp.  For  the  inductive  step,  suppose  {t,s)  G  R^+y  -  R+.  There 
are  two  cases. 


# 
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Case  (a):  there  exists  r  ^  Wf  such  that  (f,r)  6  and  (r, s)  6  R!^.  Hence 
by  the  induction  hypothesis,  <Rr  and  rRs  are  both  entries  on  P.  For  some  G  N, 
t  =  Si  and  s  =  Sj  in  the  fixed  enumeration  of  world  terms.  Let  k  be  the  least  number 
such  that  k  >  max{f,  j},  and  s,Rr  and  rRsj  are  both  entries  on  P4A;+2  =Pf  T4jt+2. 
Then  by  the  definition  of  S4F-CST  (S4C-CST),  the  entry  tRs  (i.e.  s.Rsj)  will  be 
added  to  P  by  stage  n  =  +  2  of  the  construction,  if  it  is  not  already  there. 

Case  (b):  there  exists  t\s'  G  VFp  such  that  t  =  F(t'),  s  =  F(s')  and  {f,s')  G  R^. 
Hence  by  the  induction  hypothesis,  t'Rs'  is  an  entry  on  P.  For  some  i,j  G  N,  t'  =  s, 
and  s'  =  Sj  in  the  fixed  enumeration  of  world  terms.  Let  k  be  the  least  number  such 
that  k  >  max{i,j},  and  s^Rsj  is  an  entry  on  P4)t+3  =Pf  74^+3.  Then  by  the  definition 
of  S4C-CST,  the  entry  ^Rs  (i.e.  F(s,)  RF(sj))  will  be  added  to  P  by  stage  n  =  4A:  +  3 
of  the  construction,  if  it  is  not  already  there. 

Hence 

tRs  is  an  entry  on  P  (^, -s)  G  R? 

as  required. 

For  (ii),  we  proceed  by  induction  on  the  cornplexity  of  formulas  ^  G  Coa  to  prove 
that  for  all  t  G  fFp, 


T[  <  Ih  0  ]  is  an  entry  on  P  t  xj^ 

F[t\\-  if)]  is  an  entry  on  P  t  JF,,^  xp 


For  atomic  propositions  p  G  AP,  fix  t  G  Wp. 
that 


T[t\\-  p]  is  an  entry  on  P 


we  have  from  the  definition  of  rjp 
^  P 


If  F[  f  Ih  t/>  ]  is  an  entry  on  P,  then  since  P  is  non-contradictory,  r[  t  Ih  ^  ]  is  not  an 
entry  on  P,  hence  t  p. 

For  the  inductive  cases,  the  key  result  is  that  every  occurrence  of  every  signed 
forcing  assertion  on  P  is  reduced,  since  by  Theorem  4.4.5,  the  S4F-CST  (S4C-CST) 
r  is  finished. 

For  the  Boolean  connectives  -1  and  the  induction  steps  are  completely  trivial. 

For  □,  assume  by  induction  that  the  result  holds  for  xp  and  all  world  terms  in 
Wp.  Fix  t  e  Wp  and  suppose  T[  t  If-  Dxp  ]  is  an  entry  on  P.  By  Corollary  4.4.6, 
for  each  pair  j,l  G  N,  there  is  an  occurrence  m  =  p(j,l)  on  P  of  T[  t  If-  Oxp  ],  and 
the  reduction  of  this  occurrence  will  consist  of  the  attempt  to  develop  the  entry 
using  the  (Tn)(sj)  case  of  the  (Develop)  rule.  Hence  if  tKsj  ever  appears  on  P,  then 
T[  Sj  If-  xp  ]  will  be  an  entry  on  P.  Hence  by  the  induction  hypothesis  applied  to  Sj, 
we  have  Sj  11-,,^  xp.  Since  by  (i),  iRsj  is  an  entry  on  P  iff  {t,Sj)  G  Rp,  we  have  by  the 
definition  of  forcing  that  t  11-,,^  Oxp. 


On  the  other  hand,  suppose  F[  HI-  □V’  ]  is  an  entry  on  P.  Then  since  (every 
occurrence  of)  this  entry  is  reduced,  we  will  have  both  tRw,  and  F[  w,  Ih  tj;  ]  added 
as  entries  on  P  at  some  stage  n  in  the  construction  of  r,  where  the  world  symbol 
w,-  does  not  previously  occur  in  any  entry  in  r„.  By  (i),  tRw,-  is  an  entry  on  P  iff 
(t,  w.)  €  Rp,  so  by  the  definition  of  forcing  we  have  that  t 

For  [a],  recall  that  in  the  term  frame  /Cp  =  {Wp,  Rp,  Fp),\he  function  Fp  is  just 
the  term  constructor  1 1-4  F{t).  Assume  by  induction  that  the  result  holds  for  0  and 
all  world  terms  in  Wp.  Fix  t  6  Wp  and  suppose  T[  t  Ih  [a]^  ]  is  an  entry  on  P.  Then 
since  (every  occurrence  of)  this  entry  is  reduced,  T[  F{t)  Ih  V’  ]  is  an  entry  on  P. 
Hence  by  the  induction  hypothesis  applied  to  F(t),  we  have  Fp{t)  lh„^  tp.  Then  by 
the  definition  of  forcing,  t  Ih,,^,  [a]xp. 

On  the  other  hand,  suppose  F[  t  Ih  [a]xp  ]  is  an  entry  on  P.  Then  since  (every 
occurrence  of)  this  entry  is  reduced,  F[  F{t)  Ih  0  ]  is  an  entry  on  P.  Hence  by  the 
induction  hypothesis  applied  to  F(f),  we  have  Fp(<)  Jh„^  V’-  Then  by  the  definition  of 
forcing,  t  Ih,,^  [a]^.  ■ 


Theorem  4.4.8  Kripke  completeness  of  S4F  and  S4C  tableaux 

For  each  formula  cp  of  Coa,  if  S4F  Hr  V  (S4C  Ft  (p  ),  then  there  is  a 
(continuous)  countable  partially- ordered  Kripke  frame  K,  and  a  valuation  rj  for  K. 
such  that  {1C,  ri)W-  p. 

Proof.  Consider  the  S4F-CST  (S4C-CST)  r  =  r'^  for  p  with  root  entry  F[  wq  Ih  p  ]. 
If  S4F  Ft  p  (S4C  Ft  p),  then  there  is  a  non-contradictory  path  P  through  r.  Let 
Cp  =  {Wp,  Rp,  Fp)  be  the  term  frame  for  P  and  let  T/p  be  the  canonical  valuation 
for  Kp.  By  Proposition  4.2.7  (Proposition  4.2.8),  Wp  is  countable,  Rp  is  a  partial 
order,  and  Fp  is  injective.  By  Theorem  4.4.7,  {Kp,  rjp)  agrees  with  P,  witnessed  by  the 
identity  map.  Hence  Wq  p,  and  so  (A:p,77p)  iF  p.  M 


4.5  Finite  Quotients  and  Decidability 

For  each  p  G  Coa,  the  construction  of  the  complete  systematic  S4F  (or  S4C)  tableaux 
with  root  entry  F[  Wo  Ih  v?  ]  is  a  deterministic  procedure.  Up  is  S4F  (S4C)  tableaux 
provable,  then  the  CST  construction  will  terminate  with  a  finite  proof,  but  if  p  is  not 
S4F  (S4C)  tableaux  provable,  then  the  result  will,  in  general,  be  an  infinite  tableaux. 
We  prove  the  finite  model  property,  and  thus  decidability,  by  defining  a  quotient  JCf 

of  the  term  frame  tCp  such  that  <  3”,  where  n  is  the  number  of  subformulas  of 

p. 
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Definition  4.5.1  For  each  v?  6  Coa,  SF{ip)  denote  the  set  of  all  subformulas  of 
(p.  Define  the  set  of  signed  subformulcis  ofip,  SSF{(p),  by: 

SSF(v)  =  {TW  U  e  5F(»))}  U  {  FM  I  V.  6  SF(,,)} 

Let  T  be  the  S4F-CST  or  the  S4C-CST  for  (p  G  Coa- 
For  each  world  term  t  €  W(F)  and  path  P  through  t,  define 

Sp{t)  =  {7’[V’]  I  T[  f  Ih  V’ ]  is  an  entry  on  ?  } 

U  {F[rl:]  I  F[flh^]  is  an  entry  on  P  } 

A  subset  S  C  SSF{p)  of  signed  subformulas  of  (p  is  called  inconsistent  if  there  is 
a  V’  £  SF{ip)  such  that  both  T[^]  G  S  and  F[V’]  G  S;  and  consistent  otherwise. 

Note  that  the  empty  set  is  consistent.  A  path  P  through  a  CST  is  non-contradict¬ 
ory  iff  for  each  t  G  Wp,  the  set  Sp{t)  is  consistent.  Note  also  that  terms  t  =  F*'(w,) 

where  k  >  [a]-rank((^)  will  always  have  Sp{t)  =  0. 

If  the  cardinality  |5F((/j)|  =  n,  then  |S'FF(^)|  =  2n.  For  each  t  G  W(F)  and 
path  P  through  the  CST  r'^,  we  clearly  have: 

Sp{t)  C  SSF{ip) 

hence  there  is  at  most  2^"  =  4"  possibilities  for  Sp{t).  Moreover,  for  subsets  S  C 
SSF{'p),  if  n  +  1  <  l^l  <  2n,  then  S  is  inconsistent.  By  simple  combinatorics,  the 
number  of  consistent  subsets  of  cardinality  k  is  2*^  (]J).  Hence  the  total  number  of 
consistent  subsets  S  C  SSF{(p)  is: 

k=0 

Lemma  4.5.2  Let  t  be  the  S4F-CST  or  the  S4C-CST  for  <p  G  Coa,  suppose  P  is  a 
non- contradictory  path  through  r,  and  let  ICp  =  {Wp.,  Rp,  Fp)  be  the  term  frame  for  P. 
Then  for  all  €  Coa,  P  G  AP  and  t  G  Wp: 

•  if  T\p]  G  Sp{t)  then  F[p]  ^  Sp{t); 

•  if  P'lp]  ^  Sp{t)  then  T\p]  ^  Sp{t); 

•  if  T[->t/>]  G  Sp{t)  then  F[t/>]  G  Sp{t); 

•  if  F[-'tp]  G  Sp{t)  then  T[0]  G  Sp{t); 
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•  if  T[tf  ^x]e  Sp(t)  then  FfV’]  e  Sp(t)  or  Tfx]  €  Sf{t); 

•  if  — >■  x]  G  Sp{t)  then  T[xp]  £  Sp{t)  and  F[x]  €  Sp{t); 

•  if  Tprp]  e  Sp{t)  then  for  all  s  G  Wp,  if  {t,s)  G  Rp  then  T[ip]  G  Fp(5); 

•  if  F[DV>]  e  Sp{t)  then  for  some  Wj  G  Wp,  {t,Wj)  G  Rp  and  F[V>]  e  Sp{MVj); 

•  if  T[[a]ijj]  G  Sp{t)  then  F[V>]  €  Sp{F{t)); 

•  if  F[[a]V»]  €  Sp{t)  then  F[4>]  G  ^p(F(0). 

Proof.  The  clauses  for  atomic  propositions  follow  from  the  fact  that  Sp{t)  is  con¬ 
sistent  since  the  path  P  is  non-contradictory.  The  other  clauses  are  essentially  a 
translation  into  the  notation  Sp{t)  of  Theorem  4.4.5  that  every  S4F-CST  or  S4C- 
CST  is  finished,  so  every  occurrence  on  P  of  a  signed  forcing  assertion  is  reduced  on 
P,  together  with: 

(t,s)  ^  Rp  ^  tRs  is  an  entry  on  P 
from  Theorem  4.4.7, (i).  ■ 

The  content  of  the  lemma  is  that,  in  the  language  of  [Fi83],  the  family  of  finite 
sets  of  signed  formulas  {5p(t)  |  t  G  Wp}  is  a  consistency  property,  the  term  Hintikka 
structure  is  also  commonly  used  (although  usually  for  unsigned  formulas). 

Definition  4,5.3  Let  r  be  the  SAF -CST  or  the  S4C-CST  for  v?  G  let  P  be  a 

path  through  t,  and  let  K,p  =  (Wp,  Rp,  Fp)  be  the  term  frame  for  P,  with  rjp  its  path 
valuation. 

Define  an  equivalence  relation  =p  on  Wp  by: 

t=ps  iff  Sp{t)  =  Sp{s) 

Let  f  _  -(5  G  Wp  I  t  =p  s}  and  let  W^  denote  the  set  of  all  ^p-equivalence  classes 
t.  Define  JCp  =  [Wp  ,Rp,Fp  )  to  be  the  minimal  quotient  (Lemma  3.3.2)  under  the 
surjective  map  h:Wp^  W*  given  by  h[t)  =  i;  i.e.  for  all  t,s  e  Wp, 

h{t)  =  h{s)  ^  Sp[t)  =  Sp{s) 

and 

[h{t),h{s))eRf  ^  [t,s)€Rp 
F*{h[t))  =  hiFp{t))  =  h[F{t)) 


and 


Theorem  4.5.4  Finite  model  property  for  S4F  and  S4C. 

Let  T  be  the  S4F-CST  or  the  S4C-CST  for  (p  £  Coa,  with  root  entry  F[  Wo  IH  (p  ], 
and  suppose  P  is  a  non-contradictory  path  through  r.  Let  Kp  =  {Wp,  Rp,  Fp)  be  the 
term  frame  for  P,  with  rjp  its  canonical  valuation,  and  let  ICf  =  {Wf,  Rf,  Ff)  be  the 
minimal  quotient  of  fCp  under  =p.  Then: 

(a)  The  equivalence  relation  =p  is  of  finite  index:  if  n  =  |5F’(v7)|  then  Wf  <  3”. 

(b)  The  induced  valuation  rjf  :  Wf  — )■  V{AP)  given  by: 

'rif{h{t))  =  r)p{t)  =  {p  G  AP  \  T[t\\-  p\  is  an  entry  on  P} 
is  well-defined. 

(c)  For  all  tp  G  Coa  o.nd  t  G  Wp, 

h[t)  tp  t  II-  ^ 

where  Ih  abbreviates  and  Ih*  abbreviates  Ih  i  . 

Hence  {lCf,r]f)  agrees  with  P,  and  in  particular,  /i(wo)  JF#  p,  so 

Proof.  For  (a),  observe  that  each  equivalence  class  h{i)  G  Wp  is  associated  with  the 
set  Sp{t)  of  signed  subformulas  of  p,  where  Sp{t)  ^  5'p(s)  iff  h{t)  ^  h{s),  and  since  P 
is  non-contradictory,  each  Sp{t)  is  consistent.  Since  there  are  3”  consistent  subsets  of 

SSF(p),  we  have  jfFp’^  <  3". 

For  (b),  note  that  the  canonical  valuation  r]p  satisfies 

=  {p€AP\  T\p]  €  S,(i)} 

Hence  h{t)  =  h{s)  implies  r]p{t)  =  r]p{s)  and  so  r]f{h{t))  =  T]f{h{s)). 

For  (c),  we  proceed  by  induction  on  formulas  xp  G  Coa  to  show  that  for  all  t  G  Wp, 

h{t)  Ih^  ‘tp  ^  t  \\-  xp 

For  atomic  propositions  p  G  AP,  we  have 

h{t)\\-#p  ^  P  €  = ’7p(0 

and  P  is  non-contradictory,  so  the  result  is  immediate. 


The  inductive  clauses  involve  only  mechanical  appeals  to  the  definition  of  forcing 
together  with  the  definition  of  the  quotient  fZf . 

For  example,  for  the  □  case,  assume  by  induction  the  result  holds  for  V’  and  all 
s  €  Wp.  Then 

h{t)  Ih#  Oip 

for  all  s  €  IFp,  if  {(h{t),h(s))  €  Rf  then  h{s)  Ih#  ^  (1) 

^  for  all  s  G  VFp,  if  (t,  s)  G  Rp  then  s  lb  ^  (2) 

^  t  Ih  Oxf)  ^2^ 

where  the  equivalence  (1)  is  from  the  definition  of  Wf  =  {h(s)  |  s  G  Wp}  and  forcing 
in  ICf  for  □  formulas;  (2)  is  from  the  definition  of  Rf  and  the  induction  hypothesis; 
and  (3)  is  just  forcing  in  ICp  for  □  formulas. 

Similarly,  for  the  [a]  case,  assume  by  induction  the  result  holds  for  xp  and  all 
s  G  Wp.  Then 


h{t)  Ih^  [a]xP 

Ff{h{t))  Ih#  xp 

(1) 

hiFp{t))  lb#  xp 

(2) 

Fp{t)  \\-  xP 

(3) 

<4^ 

t  lb  [a\xp 

(4) 

where  (1)  is  forcing  in  JCf  for  [a]  formulas;  (2)  is  from  the  equation  ofPf  oh  ==  ho  Fp; 
(3)  is  the  induction  hypothesis  applied  to  s  =  Fp(t);  and  (4)  is  just  forcing  in  JCp  for 
[a]  formulas. 

From  Theorem  4.4.7,  (ii),  we  have 

T[t\\-xP]  is  an  entry  on  P  =>■  t  \\-  xj^ 

F[t\\-  xp]  is  an  entry  on  P  t  lb  V’ 

Hence 

T[t\\-  xp]  is  an  entry  on  P  h{t)  Ih#  xp 

F[  t  II- ^  ]  is  an  entry  on  P  h{t)¥^xp 

and  so  the  quotient  map  h  witnesses  that  {JCf  ,r}f)  agrees  with  P.  ■ 

Corollary  4.5.5  The  logics  S4F  and  S4C  are  decidable. 


(/Cp  ,  Tjf'j  is  most  certainly  a  near  relative  of  the  finite  model  one  would  get  if 
one  took  a  filtration  through  set  of  subformulas  SF(^(p)  of  the  canonical  maximal- 
consistent  sets  model  (/Co,77o)  of  Propositions  2.3.7  and  3.2.3. 
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Corollary  4.5.6 


For  each  formula  ip  of  Coa,  the  following  are  equivalent: 


(1-) 

(2.) 

(3.) 

(4.) 

(5.) 

(6.) 

(7.) 

(8.) 


S4F(S4C)  hr  ^ 

S4F(S4C)h//  ip 

T  j=  (p  for  all  (continuous)  topological  structures  T  for  Coa, 

ip  for  all  (continuous)  D-topological  structures  T  for  Coa, 

JC\\-  ip  for  all  (continuous)  Kripke  frames  fC  for  Coa, 

ip  for  all  (continuous)  countable  To  D-topological  structures  T  for  £□„, 

K,  \\-  ip  for  all  (continuous)  countable  partially- ordered  Kripke  frames  K  for 
Doai 

)C\\-  ip  for  all  (continuous)  finite  Kripke  frames  K  for  Coa,' 


Proof.  (8.)  (1.)  is  Theorem  4.5.4,  and  (5.)  =>  (8.)  is  trivial.  (7.)  (1.)  is  the 

completeness  theorems  for  S4F  (S4C)  tableaux,  in  Theorem  4.4.8.  (1.)  ^  (5.)  is 
the  Kripke  soundness  of  S4F  (S4C)  tableaux,  in  Theorem  4.3.3.  (3.)  (4.)  and 

(5.)  (7.)  are  trivial.  (4.)  (5.)  and  (6.)  (7.)  are  Corollaries  2.4.13  (3.1.6) 

and  2.4.14  (3.1.7).  (2.)  (3.)  is  the  topological  soundness  of  the  Hilbert-style  proof 

system,  in  Proposition  2.2.2  (3.2.2).  And  (5.)  ^  (2.)  is  the  Kripke  completeness 
results  for  the  Hilbert-style  proof  system,  in  Proposition  2.3.7  (3.2.3).  In  summary, 

(5.)  (8.)  =^>  (1.)  =?►  (5.) 

(5.)  (2.)  =?►  (3.)  =?>  (4.)  (5.) 

(5.)  (7.)  (1.)  (5.) 

-  (6.)  <=^(7.)  ■ 
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Chapter  5 


Topological  Propositional  Dynamic 
Logic  TPDL 

5.1  Syntax  and  Topological  Semantics 

S4C  is  the  logic  of  one  continuous  action,  and  although  not  without  interest  in  its 
own  right,  its  purpose  is  primarily  to  provide  a  solid  foundation.  We  need  to  be  able 
to  talk  about  more  actions,  and  we  need  to  be  able  to  combine  them  in  interesting 
ways.  To  this  effect,  we  create  a  modal,  S4-based,  dynamic  logic  by  overlaying  the 
apparatus  of  propositional  dynamic  logic  ([FL79],  [Pra79],  [ParSl],  [Seg82]). 

In  this  setting,  atomic  actions  a  G  S  will  be  interpreted  by  continuous  total  func¬ 
tions,  and  compound  actions  a  G  Act(S)  are  generated  using  the  Kleene  operations 
of  composition,  sum  (non-deterministic  choice)  and  iteration  (star).  The  “test”  op¬ 
eration  is  omitted  at  this  stage,  pending  a  further  clarification  of  an  appropriate 
semantics.  So  what  is  overlaid  on  S4C  is  actually  the  test-free  fragment  of  determin¬ 
istic  propositional  dynamic  logic  DPDL,  further  restricted  to  atomic  actions  whose 
interpretations  are  both  functional  (deterministic)  and  total.  DPDL  is  studied  in 
[BHP82].  A  precursor  can  be  found  in  [Con77],  where  atomic  commands  are  in¬ 
terpreted  by  partial  functions.  Within  the  “algorithmic  logic”  school  of  Salwicki  and 
Mirkowska,  the  logic  of  deterministic  total  actions  is  briefly  studied  in  [MS87],  Chp.V, 
§8- 

Very  recent  work  of  Kremer,  Mints  and  Rybakov  (see  the  abstracts  [KrMi97], 
[Kre97],  and  [KrMiR97])  examines  a  family  of  logics  DTL  (Dynamic  Topological 
Logics)  extending  S4  by  the  addition  of  a  “next”  operator  Q  corresponding  to  our 
[a]  modality,  for  a  single  atomic  action  a,  and  a  “star”  operator  corresponding  to 
[a*].  The  abstract  announces  axiomatizations  of  various  fragments;  for  example,  the 
star-free  fragment  of  the  logic  OTL-^  of  homeomorphic  functions. 


Definition  5.1.1  Let  $  =  AP  be  a  countable  set  of  atomic  propositions,  and  let  E 
be  a  countable  set  of  atomic  actions.  The  set  of  formulas  Form{f^^Ti)  and  the  set 
of  action  expressions  (or  more  simply,  actions^  Act{E)  of  the  language  £a($,E)  = 
Form(^,  S)  U  Act{'E)  are  defined  inductively  as  follows: 

•  if  a  ^  T,  then  a  G  Acf(S); 

•  if  a,  £  Act{'L)  then  {a(3)  G  ActljT),  (or  +  /3)  G  Act{Yf)  and  (a*)  G  Act(S); 

•  if  p  £  ^  then  p  G  Form{f^,  E); 

•  if  (flip  G  Form($,  E)  then  -'</?  G  Form($,E),  —¥  tf)  £  Form{^,Yf)  and 
□(/?  G  Form{^,  E); 

•  ifp  £  Form($,E)  and  a  £  ActiY.)  then  {oc)<p  G  Form($,S). 


We  omit  parentheses  when  no  confusion  results. 
For  each  or  G  Ac<(E),  define: 


\a]p  =  -^{a)^p 


and  define  the  other  Boolean  connectives  and  constants,  as  well  as  the  S4  O  operator, 
as  in  Section  2.1  above. 

The  intended  intuitive  reading  of  formulas  is: 

[oi\<p  ~  “action  a  always  makes  it  the  case  that  p" 

{a)(p  “action  a  sometimes  makes  it  the  case  that  95” 

with  “sometimes  =  always"  for  atomic  actions  a  G  S,  and  more  generally,  for  com¬ 
positions  of  atomic  actions.  The  intended  reading  of  action  expressions  is: 

~  “perform  action  a,  then  action  /?” 
ot  +  fi  ~  “perform  (non-deterministically)  either  action  a  or  action  /?” 
a*  ~  “perform  action  a  repeatedly,  some  finite  number  of  times” 

A  finite  sequence  (under  composition)  of  atomic  actions  is  word 

u  =  (ai  •  •  •«„)  G  E* 

which  can  be  thought  of  as  a  basic  control  script.  We  say  more  about  what  can  be 
expressed  in  the  language  and  logic  in  Section  5.3  below. 


Definition  5.1.2  Given  a  topological  space  {X,T),  let  Cr{X)  denote  the  set  of  all 
total  functions  f  i  X  X  that  are  continuous  w.r.t.  the  topology  7”. 


Definition  5.1.3  A  (continuous)  topological  structure  for  the  language  is 

a  triple  T  =  {X,  T,  u)  where 

•  X  ^  ^  is  the  state  space; 

•  7”  C  V{X)  is  a  topology  on  X;  and 

•  1/  ;  S  -J-  Cr{X)  is  a  map  assigning  a  continuous  total  function  i/{a)  :  X  X 
to  each  atomic  action  a  G  E. 

The  map  v  uniquely  extends  to  a  map  cr  =  cr^  :  Act{T.)  -f  {'P{X)  V{X)),  as¬ 

signing  a  unary  operator  a{a)  :  V{X)  V{X)  to  each  action  a  e  Act(E},  according 
to  the  following  inductive  clauses,  where  a  £  S,  a,/?  G  Act{E),  and  A  G  ViX): 

(a(a))(A)  =  i/(a)-‘(A) 

{(7{a/3)){A)  =  {cr{oc)oa{(3)){A) 

(cr(o  +  ^))(A)  =  ((T(a))(^)U(cr(/3))(A) 

where  cr(a)°  =  \v{X)  is  the  identity  operator  on  V{X)  and  cr(Q;)*'+^  =  cr{a)  o  <T(a)^. 

A  valuation  for  a  topological  structure  %  =  {X,T,u)  is  any  map  ^  ^  V(X) 

assigning  a  subset  f{p)  ^  X  to  each  p  G  Each  such  valuation  uniquely  extends 
to  a  valuation  map  H-H^  :  Form($,S)  ->  V{X),  assigning  a  subset  ||v5||^  G  F(A')  to 
each  formula  (p  G  Form($,S),  according  to  the  following  inductive  clauses,  where 
P  E  ^  G  Form(^,E),  and  a  G  Act{E): 

\\pk  =  e(P) 

Hay’ll^  =  (||v5||^) 

||(Qr)(p||^  =  (7(a)  ^I|(p||^) 

A  topological  model  for  £□($,  E)  is  a  pair  (T,  0,  '^here  ^  is  a  valuation  for  %. 

For  formulas  p>  G  Form{^,E),  the  notions  of  satisfiability  and  truth  in  a  model 
(T,f),  validity  in  a  structure  %,  and  topological  validity,  are  as  in  Definition  2.1.5. 


The  topological  semantics  for  the  defined  action  modalities  [a]  are  given  by: 


By  Boolean  duality,  we  can  define  a  family  of  unary  operators  7r(a)  interpreting  the 
[a]  modalities  which  agree  with  <7(0;)  at  the  atomic  level;  i.e.  for  atomic  actions  a  6  S, 

7r(a)  =  (— <r(a)— )  =  cr(a)  = 


Proposition  5.1.4  Let  %  =  be  a  topological  structure  for  £o($,E),  and 

let  a  :  Act{Y!,)  {V{X)  -4  V{X))  be  the  operator  map  induced  by  u.  For  each  action 
a  €  Ac<(S),  define  its  Boolean  dual  operator  7r(a)  :  V(X)  — >  V^X)  by: 

Then  for  a  E  T,,  a,  (3  E  Act(T:),  A  G  'P(X)  and  (p  6  Form{^,  S): 

{n{a)){A)  =  u{a)-\A)  =  a{a)iA) 

{w{a0))lA)  =  {TT{a)o'K{(3)){A) 

(7r(a  + /?))  (A)  =  (7r(a))  (A)  n  (7r(^))  (A) 

(7r(a’))(A)  ^  (^) 

where  7r(o')^  =  lp(x)  i^  the  identity  operator  on  V{X)  and  7r(o;)*"''*  =  7r(Q;)  o  7r(Q;)*'. 
Hence  for  any  valuation  ^  for  %,  we  have: 

ilMvIlf  =  »(«)(llvlli) 

Proof.  Straightforward  induction  on  actions  a.  ■ 

The  remainder  of  this  section  is  devoted  to  studying  the  behavior  of  cr(a)  and 
7r(a)  as  operators  on  the  topological  Boolean  algebra 

!Bt(X)  =  (P(A-),U,n.-,X,0,m(T) 

of  a  topological  space  (X,T),  and  identifying  the  sense  in  which  these  operators  are 
continuous  relative  to  the  topology  T~.  The  behavior  of  the  operators  can  be  separated 
into  two  sorts:  how  they  behave  with  respect  to  the  Boolean  algebra  operations,  and 
how  they  behave  with  respect  to  the  topological  interior  operator.  The  pioneering 
work  on  Boolean  algebras  with  operators  is  Jonsson  and  Tarski’s  [JT51]. 


Definition  5.1.5  [JT51]. 

Let  (A',  T)  be  a  topological  space,  and  let  ^r{X)  =  {'P{X) 
topological  Boolean  algebra.. 

A  unary  operator  H  :  V{X)  V{X)  is  called  normal  and 
^t{X),  abbreviated  “nca”  iff  for  all  A,  B,Ai  e  ViX), 


,  U,  n,  — ,  X,  0,  intr)  its 
completely  additive  on 


(a)  ff(C)  =  0; 


(b)  ^(U6,^i)=U.s/«('4.); 

(c)  if  AC  B  then  H{A)  C  H{B); 

(d)  H{A^B)C  H{A)r\H{B). 


rhify.  o  unary  operator  H  :  V(X)  V{X)  is  catted  normal  and  completely 
multiplicative  on  tBriX),  abbreviated  “ncm”  iff  for  all  A,  B,  Ai  e  ViX), 

(a)  H(X)  =  X; 

(b')  (016,-4,)  = 

(c  )  if  AC  B  then  H{A)  C  H{B),- 
(d')  H{A)  U  H{B)  C  H  (A  UB). 

IVe  call  a  unary  operator  H  i  V(X)  ->  V(X)  continuous  on  ’St(X)  iff  for  all 
A  €  T{X), 

H{intr{A))  C  intr{H{A)) 


The  terms  “normal”  and  “completely  additive”  are  from  [JT51],  and  refer  to 
properties  (a)  and  (b)  respectively.  Properties  (c)  and  (d)  are  trivial  consequences 

t  ^  reference.  Observe  that  if  a  unary  operator 

H  :  B{X)  -4  ViX)  IS  nca,  then  considering  V{X)  as  a  dcpo  (pointed,  directed- 
complete  partial  order)  under  inclusion,  then  H  is  trivially  Scott- continuous,  since 
bcott-continuity  only  requires  preservation  of  directed  unions. 

The  notion  of  continuity  in  ^r{X)  is  an  abstraction  of  the  behavior  of  the  inverse- 
mage  /  with  respect  to  the  intr  operator  when  /  is  continuous  with  respect  to 


Lerrma  5.1  6  Let  Q3r(X)  be  the  topological  Boolean  algebra  of  a  topological  space 
(A,T )  and  let  H  :  V{X)  -)■  V{X)  be  a  unary  operator  which  is  C-monotone  (prop¬ 
erties  (c)  and  (c  )  m  Definition  5. 1.5).  Then  the  following  are  equivalent: 


r 
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(i)  H  is  continuous  on  !St(X); 

(ii)  for  all  A  E  'P(X),  H  (int'j-(A))  =  intriff  (intriA))); 

(iii)  for  all  open  U  eT,  H{U)  E  T. 

Proof.  Going  back  to  the  proof  of  Proposition  3.1.1,  the  only  property  of  the  inverse- 
image  needed  to  establish  these  equivalences  in  the  case  H  =  (for  total  f  :  X 
X)  is  C-monotonicity.  ■ 

Lemma  5.1.7  Let  T  =  (X,T,j/)  be  a  topological  structure  for  £a($,S),  let  a  : 
Act{'E)  ('P(Ar)  — >  'P(X))  be  the  operator  map  induced  by  u,  let  ^j-{X)  be  the 
topological  Boolean  algebra  of(X,T),  and  let  a  E  Act{Ti). 

(i)  The  operator  a^a)  is  nca  and  continuous  on  ^j-^X). 

(ii)  The  operator  tt^q)  is  ncm,  and  ifT  is  a  D-topology  then  7r(Q;)  is  continuous  on 
<St(X). 

(iii)  for  ail  A  €  V{X),  ir(a){/l)  C  <7(a){A). 

Proof.  The  base  caise  of  the  induction  on  actions  a  E  ActCE)  for  each  of  (i),  (ii) 
and  (iii)  is  immediate:  for  atomic  actions  a  G  S,  cr(a)  =  7r(a)  =  where  /  = 

i/{a)  :  X  — >  X  is  a  total  function  continuous  w.r.t.  T.  For  (i),  establishing  the 
nca  properties  of  ct{q)  is  easy.  We  write  out  the  details  of  the  induction  on  actions 
or  E  Act{Ti)  for  the  continuity  of  cr{a)  on  ^-j-{X)‘. 

(7[a)  [int-riA))  C  int'j- {(T[a){A)) 

The  base  case  for  atomic  actions  is  done.  For  composition, 

cr(Q!/?)  (intriA)) 

=  a{a)  {a{(3)  (intriA))) 

C  a(a)  (intr  (cr(0)(A)))  Ind.  Hyp.  for  f3  and  A 

C  intr  {cr{a)  {a{(3)(A)))  Ind.  Hyp.  for  a  and  (7(/?)(A) 

=  intT{(ria(i)(A)) 

For  sum, 

(T(a  +  f3)  (intriA)) 

=  cr(a)  (intr(A))  U  <r(/?)  (intr(A)) 

C  intr((^ioi)(A))liintricr(P)(Ay)  Ind.  Hyp.  fora,/?  and  A 
C  intr  ((^(oc)(A)  a(0)(A))  U  property  of  mtr 

=  intr  (cr(oc  A  ld)(A)) 


Finally,  for  iteration,  it  is  readily  verified  by  induction  on  k  that  if  c7(a)  {intr{A))  C 
intr{(T{a){A))  for  all  A  C  X,  then  a{af  (intriA))  C  intr  ((T(aY(A))  for  all  A:  G  N 
and  all  ACX.  Then 

cr(a*)  {intr{A)) 

=  UieN  ^ 

C  (cr(a)*=(/l))  result  for  a{af  and  A 

—  (UifceN  ‘^(*^)*(^))  U  property  of  intj- 
=  mtr(cr(a*)(A)) 

For  (ii),  the  ncm  properties  of  7r(a)  come  by  duality  from  the  nca  properties  of 
(T(a)  and  Proposition  5.1.4.  For  the  continuity  of  7r(a)  on  fBr(X),  the  hypothesis  that 
r  IS  a  D-topology  is  needed  for  the  a*  case  of  the  induction,  which  goes  as  follows: 

7r(Q;*)  (int7-(A)) 

=  flfceN  (intr(A)) 

—  rijteN^^'T' (^(^)*^(^))  result  for  7r(a)*  and  A 

=  wtT- m^T- (7r(a)*(A)))  P|  property  of  D-topologies 
C  intj-  (n^eN  ^(q^)*(^)) 

=  int'j-(cr(a*)(A)) 

For  (iii),  the  inclusion  7r(Q;)(y4)  C  (7(a)(/4)  is  an  easy  induction  on  actions  a  G 

Act(E).  m 

So  we  have  established  that  the  continuity  scheme: 

(Q;)Cont  :  (ajOip  ->  □(a:)y) 

is  valid  in  all  topological  structures  for  £□($,  E),  while  the  corresponding  scheme  for 

[ajCont  :  [aJOy?  ->  U[a](^ 

is  valid  in  all  D-topological  structures.  We  also  have  that  the  deontic  or  totality 
scheme: 

[a]D  :  [a](p  -)■  {a)(p 
is  valid  in  all  topological  structures. 


5.2  Kripke  Semantics 

Definition  5.2.1  Let  W  be  a  non-empty  set  and  R  a  reflexive  and  transitive  binary 

relation  on  W.  Let  Mr{W)  denote  the  set  of  all  R-monotone  total  functions  F  • 
W  ^W. 


[ 
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By  Proposition  3.1.3,  Mr(W)  =  Crfl(W^)  and  if  (X,T)  is  an  D-space,  then 
Ct{X)  =  MRriX). 

Definition  5.2,2  A  (continuous)  Kripke  frame  for  the  language  £a($,E)  is  a  triple 
JC  =  where 

•  W  ^  is  a  set  of  worlds; 

•  RCW  X  W  is  a  reflexive  and  transitive  binary  relation  on  W;  and 

•  1/  :  E  — >•  Mr{W)  is  a  map  assigning  an  R-monotone  total  function  i^(a)  :  W 
W  to  each  atomic  action  a  G  E. 

The  map  u  uniquely  extends  to  a  map  p  —  :  Act{'Z)  V{W  x  W),  assigning  a 

binary  relation  p{oc)  CW  xW  to  each  action  a  €  Act(lT),  according  to  the  following 
inductive  clauses,  where  a  G  E  and  a,l3  ^  Act(E); 

p{a)  =  graph  {i/{a)) 
p{aP)  =  p{a)  o  p{(3) 

=  I  {3u)[{w,u)  G  p{a)  and  {u,v)  G  p{fi)]} 

p{a  +  (3)  =  p{cx)Up{P) 

/>(«•)  =  UfeeN  />(«)'=  = 

where  p(a)°  —  Iwxw  is  the  identity  binary  relation  on  W,  p(a)^'^^  =  p(o!)  o  p(a)^, 
and  p(a)’'*‘^  is  the  reflexive  and  transitive  closure  of  p{a). 

A  valuation  for  a  Kripke  frame  K,  =  (VP,  R,  v)  is  a  map  q  :  W  'PW  assigning 
a  set  of  atomic  propositions  t]{w)  C  ^  to  each  world  w  E  W.  Each  such  valuation 
T]  for  K.  uniquely  extends  to  a  forcing  relation  ll"^=lh,,C  W  x  Form($,E),  between 
worlds  w  EW  and  formulas  (p  E  Form($,E),  according  to  the  following  inductive 
clauses,  where  p  E  ^ ^  Form{^,  E)  and  a  E  Act(E),  for  all  w  eW  : 

wlh,,  p  iff  p  E  r]{w) 
w  II-,,  -'(p  iff  <P 

w  Ih,,  <p  Ip  iff  w¥rfip  or  w  Ih,,  ip 

w  IP,,  Oip  iff  for  all  v  E  W,  if  (w,  v)  E  R  then  v  IP,  ip 

w  IP,  {a)(p  iff  for  some  u  E  W,  (to,  u)  E  p{ot)  and  u  IP,  ip 

A  Kripke  model  for  £o($,E)  is  a  pair  [X,r}),  where  rj  is  a  valuation  for  )C. 

For  formulas  <p  E  Form($,E),  the  notions  of  satisfiability  and  truth  in  a  Kripke 
model  iJC,rf),  validity  in  a  frame  K,  and  Kripke  validity,  are  as  in  Definition  2.3.4- 


Th6  [a]  modality  has  the  standard  ^*Box”  reading  in  the  Kripke  semantics: 

^  II”*)  iff  for  all  u  6  if  (w,  u)  6  p{oi)  then  u  Ih^  (p> 

The  next  task  is  to  establish  the  duality  between  D-topological  models  and  Kripke 
models,  and  with  that,  the  duality  between  the  unary  operators  o-(a)  (and  7r(a))  of 
topological  models  and  the  binary  relations  p{a)  of  a  Kripke  frame.  The  translations 
come  from  [JT51],  Section  3,  where  a  one-one  correspondence  is  established  between 
nca  unary  (indeed  n-ary)  operators  on  the  Boolean  algebra  on  V{X)  and  binary  (or 
(n  +  l)-ary)  relations  on  a  set  X. 


Definition  5.2.3  A  topological  structure  T  =  {X,T,u)  for  £□(#,£)  is  called  an 
D-topological  structure  iff  {X,  T)  is  an  D-space. 

Given  a  Kripke  frame  K,  =  [W,  R,  u)  for  £a(^,  E),  define  T;c  =  {W,  Tr,  u)  to  be 
its  dual  I-topological  structure.  (By  Proposition  3.1.3,  Mr{W)  =  Ctr{W),  so  the 
assignment  map  u  :  T.  ^  Mr{W)  in  K,  is  suitable  as  an  assignment  map  J  •  S  -)■ 
Ct,{W)  in  %^.) 

Similarly,  given  an  D-topological  structure  T  =  {X,T,i/)  for  £o('^,E),  define 
K.%  =  {X,  Rj-,  i/)  to  be  its  dual  Kripke  frame. 

Duality  for  valuations  is  defined  as  in  Definition  2.4.11. 


Proposition  5.2.4  Duality  of  Kripke  frames  D-topological  structures 

(i)  Let  K  =  {W,R,u)  be  a  Kripke  frame  for  £a($,S),  and  let  Tjc  =  {W,Tr,u) 
be  its  dual  D-topological  structure.  Let  p  =  :  Act{Yf)  -)•  V{W  x  W)  be  the 

relation  map  for  actions  in  1C,  and  let  a  =  :  Act{E)  — >•  {'P{W)  — >•  V{W))  be 

the  operator  map  for  actions  in  Tx;.  Then  for  all  worlds  w  ^W,  alia  e  ActiYi) 
and  all  A  G  V(W), 

wEcr{a){A)  iff  CiW)[{w,v)  E  p{a)  and  v  ^  A\  (Op) 

(ii)  Let  %  =  {X,T,u)  be  a  D-topological  structure  for  £□($,  E),  and  let  K%  = 
(X,  Rr,  u)  be  its  dual  Kripke  frame.  Let  a  =  a„  :  Act{Y)  {V{X)  -)•  V{X)) 
be  the  operator  map  for  actions  in  %,  and  let  p  =  p^  :  Act{Y)  -)■  V{X  x  X) 
be  the  relation  map  for  actions  in  Xx.  Then  for  all  states  x.y  e  X,  and  all 
a  e  Act{Y), 


{x,y)  e  p{a)  iff  xe(T{a){{y})  (Rel) 
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Proof.  We  prove  (i)  by  induction  on  actions  a  €  Acf(S);  (ii)  is  then  a  consequence 
of  {JT51],  Theorem  3.3,  which  uses  the  equivalences  (Op)  and  (Rel)  to  establish  a 
one-one  correspondence  between  nca  unary  operators  on  V{X)  and  binary  relations 
on  X. 

For  an  atomic  action  a  €  S,  let  i/{a)  =  F  £  Mr{W)  =  C'tr(I^)-  Then  a{a)  =  F~^ 
and  p{a)  =  graph  (F).  Hence 

w  £  cr(a)  (A) 
w  £  F~^  (A) 

F{w)  £  A 

(Bu  £  VF)[(«;,u)  £  graph  (F)  and  v  £  A] 

(3u  £  W)[(u;, u)  £  p(a)  and  v  £  A\ 

For  composition,  assume  the  result  (Op)  holds  for  £  Act(S),  for  all  A  £  'P(W) 
and  w  £  W.  Then 

w  G  (A) 

w£{<T{a)oam{A)  (1) 

^  w£  (7{a)  (a-(/3)  (A)) 

{3u  £  W)[  (u;,  u)  £  p{a)  and  u  £  cr{l3)  (A)  ]  (2) 

(3u  £  W)[(tt;,u)  £  p{a)  and  (3t;  £  fF')[(u,w)  £  p(0)  and  v  £  A]]  (3) 

■4^  (3i;  £  W)  (3u  £  VF)[(it;,u)  €  p{cic)  and  (u, u)  €  p{^)  and  v  £  A] 

^  (3y  £  W) [  (u;,  u)  £  p{a)  o  p((3)  and  v  £  A] 

(3v  €  W)[(io,u)  € /9(q:/?)  and  u  G  A]  (4) 

where  (1)  is  by  definition  of  cr(Qr/3);  (2)  is  (Op)  for  a,  B  —  cr{(3)  (A)  and  w,  (3)  is 
(Op)  for  13,  A  and  u;  and  (4)  is  by  definition  of  p{a(3). 

For  sum,  assume  (Op)  holds  for  a,/3  £  Act(S),  for  all  A  G  'PiW)  and  w  £W. 


w  £  (T{a  +  /3)  (A) 


W  £ 

<r(a)  (A)  U  <t(/?)(A) 

(1) 

(3u 

6 

v)  £  p{a)  and  v 

m 

o 

(3u 

S  W)\(w, 

v)  £  p(j3)  and  v 

€  A] 

(2) 

{3v 

svrHKra, 

iv)  £  p(o:)  or  (to 

,v)  £  p(0)]  and  u  G  A] 

(3t; 

eW'MK 

v)  G  p(q:  +  0)  and  u  G  A] 

(3) 

where  (1)  is  by  definition  of  cr{a  +  0)‘,  (2)  is  (Op)  for  a  and  (3,  A  and  iw;  and  (3)  is 
by  definition  of  p{a  +  ^). 

For  iteration,  assume  (Op)  holds  for  ot  £  Act(E),  for  all  A  G  F[W)  and  w  £W. 
It  is  readily  verified,  by  induction  on  k,  that  (Op)  holds  for  cr{ocY  for  all  A:  G  N  and 


3'11  A  €  'P(W^)  and  w  G  W.  Then 


w  e  cr(Qr*)(/l) 


^  ^  UeN  (^) 

(1) 

(3A:  G  N)[u;  G  (cr(a)^) 

(A)] 

{3keN){3v  G  W)[{w, 

v)  G  p(oc)'‘  and 

V  e 

(2) 

{3v€W){3kGN)[{w, 

v)  G  p(oc)^  and 

V  e 

(3u  G  W^)[(«7,u)  G  UfceN  and  v  ^ 

:A] 

{3v  e  W)[{w^v)  6  p{a' 

and  u  G  ^  ] 

(3) 

where  (1)  is  by  definition  of  (2)  is  (Op)  for  A  and  w;  and  (3)  is  by  definition 

ofp{a*).  ■ 

Note  that  since  cr(a)  is  completely  additive, 

<7(a)(/l)=  U  <t(c)({i,}) 
yeA 

In  establishing  the  duality  transformation  between  Kripke  models  and  D-topological 
models,  the  equivalences  (Op)  and  (Rel)  are  exactly  what  is  needed  for  the  (a)  case 
of  the  induction  on  formulas. 


Proposition  5.2*5  Duality  of  Kripke  &  D-topological  models 

(i)  Let  {)C,r])  be  a  Kripke  model  for  £q(<^,E),  and  let  (Tc,^„)  be  its  dual  D- 
topological  model.  Let  p  :  Ac<(E)  —^V{W  x  W)  be  the  relation  map  for  actions 
in  K,  and  let  <t  :  ActfE)  -4  {V{W)  -4  V{W))  be  the  operator  map  for  actions 
in  %ic.  Then  for  all  worlds  w  eW,  all  a  e  Acf(E)  and  all  ip  G  Form{<l}^  E), 

w  G  iff  w  ll-„  (p 

Hence 

iff  (IC,'n)\\-p 

(ii)  Let  (T,0  be  a  D-topological  model  for  £a($,E),  and  let  (JCz,r)^)  be  its  dual 
Kripke  model.  Let  cr  :  /4ct(E)  — >  ('P(X)  -4  'P(X))  be  the  operator  map  for 
actions  in  %,  and  p  :  Act{Jl)  — >•  V{X  x  X)  be  the  relation  map  for  actions  in 
X%.  Then  for  all  states  x  e  X,  all  a  e  Act{T.),  and  all  p  G  Form($,  E), 

T  iff  ||<^||^ 

Hence 

{X<i,r}^)\\-p  iff  (X,^)f=(^ 


Proof.  For  (i),  proceed  by  induction  on  the  sub-formula  ordering,  extending  the 
proof  of  Proposition  2.4.12,  with  the  new  {o)^  case  appealing  to  the  (Op)  equivalence; 
similarly  for  (ii)  using  the  (Op)  equivalence.  ■ 


Corollary  5.2.6  For  all  formulas  ip  G  Form{^,  S), 

for  all  D-topological  structures  X  for  £□($,  S) 
iff  ICW-  p  for  all  Kripke  frames  K.  for  £□($,  S) 

Corollary  5.2.7  For  all  formulas  p  €  Form(^,  S), 

X  1=  </?  for  all  To  D~topological  structures  X  for  £q($,S) 
iff  ICW-  p  for  all  partially  ordered  Kripke  frames  K,  for  £a('^,  2) 

Corollary  5.2.8  For  all  Kripke  frames  JC  for  Ca{^,  S),  and  all  p  G  Form{^,  S), 

)C  Ih  (a)Dv3  -4  □(a)(^ 

/C  If"  [q;]D(,!?  ->  □[a](^ 

JC  If-  [ajyj  -¥  {oc)p 


5.3  Expressivity  of  TPDL 

In  this  section,  we  briefly  give  examples  of  the  sorts  of  properties  that  can  be  expressed 
in  the  language  of  TPDL.  It  is  by  no  means  an  exhaustive  study  of  the  “expressive 
power”  —  that  will  have  to  await  a  further  investigation  —  but  rather  a  few  suggestive 
examples. 

Various  reachability  properties  can  be  expressed.  Fix  a  topological  model  (X,  ^), 
with  X  =  {X,  'T,  i/) .  Then  we  have: 

(X,  ^)  1=  0  — >•  {a*)p  iff  from  ||^||^  ,  some  iteration  of  a  leads  to  ||(^||^ 

^  — >■  {a*\p  iff  from  ||V’||^  ?  every  iteration  of  a  leads  to 

Similarly,  the  formulas 


Ip  — >■  {a*)Op  and  xp  — >•  [«*]□(/? 

express  a  topological  reachability  properties,  requiring  int-r  to  be  reachable 

by  some  or  all  iterations  of  a  from  Thinking  if  intr  as  allowing  a  “margin  of 

error”  or  a  “robustness”  in  the  presence  of  imprecision,  many  useful  properties  will 


of  this  form.  Moreover,  continuity  says  that  we  can  safely  “push”  operators  (a)  and, 

in  D-spaces,  [a],  “through  D’s”.  The  continuous  analogs  of  the  Hoare  composition 
rules: 

V’  (q)°X  X  ^  ^  [apx  X  -»•  [/?]Py 

V’  ->  {a(3)0(p  xj)  — [oc0\Oip 

are  truth-preserving  in  all  topological  structures,  and  all  D-topological  structures, 
respectively. 

One  can  think  of  the  word 


u  =  fli  •  •  •  a„  €  E* 

as  a  basic  control  script:  a  finite  sequence  of  atomic  actions.  Suppose  i^{aj)  =  fj  for 

1  <  j  <  and  let  g  =  fn  o  o  fi.  Then  p  is  a  continuous  function,  and  extending 

1/  to  words  u  G  S*,  we  have  i/{u)  =  g  and  a(u)  =  g-\  Then 

X  e  cr{ai  ■  ■  ■  a„){A)  iff  gix)  =  (/„  o  ■  •  ■  o  fi){x)  e  A 

Hence 

^  ^  iff  a:  G  iff  g{x)  G  ||95||^ 

and 

X  G  ||(«*)v?||^  iff  for  some  fc  G  N,  g'‘(x)  G  ||v?||^ 

X  G  ||[u*]y.||^  iff  for  all  A:  G  N,  /(x)  G  ||<^||^ 

The  formula  (u  )(p  — >  9?,  whose  converse  is  valid,  defines  the  property  of  weak 
closure  under  since: 

(T,f)  1=  {u*)ip  ip 

^  for  all  X  G  X,  x  G  l|v?||^  iff  for  some  A:  G  N,  g^{x)  G  ||</^||^ 

i.e.  every  x  G  ||v?||^  eventually  returns  to  ||yj||^  by  some  iteration  of  g.  Equivalently, 
is  the  greatest  fixed  point  of  (7(u)  = 

Similarly,  the  formula  (p  — >•  [u*]ip  defines  the  property  of  strong  closure  under  g, 
since: 


^  (T,0  1= 

for  all  X  G  A',  x  G  iff  for  all  A:  G  N,  g'^{x)  G 

i.e.  every  x  G  ||<,?||^  remains  in  ||(^||^  under  all  iterations  of  g.  Equivalently,  ||v3||^  is 
the  least  fixed  point  of  <j(u)  =  g~^. 


5.4  Hilbert-style  Proof  System 

We  overlay  the  axiomatization  for  PDL  given  in  [Ha84],  §2. 2, 2. 5,  on  top  of  S4C, 
with  atomic  actions  as  continuous  total  functions.  The  axiomatization  given  here  is 
not  a  minimal  axiomatization;  for  example,  we  probably  only  need  the  f-  direction  of 
the  (a*)  scheme,  and  the  continuity  scheme  for  arbitrary  actions  (Q;)Cont  should  be 
derivable  from  corresponding  scheme  for  atomic  actions.  It  should  rather  be  thought 
of  as  a  useful  reference  list. 

Definition  5.4.1  The  Hilbert-style  proof  system  for  the  logic  TPDL  has  the  follow¬ 
ing  axiom  schemes,  for  atomic  actions  a  G  S,  ^  G  Form($,S)  and  Oi,f3  ^  Act(E); 


CP  . 

axioms  of  classical  propositional  logic  in  Form{^,  E) 

□K  : 

0{tp  —^if)—^  (Ocp  —y  Dip) 

□T  : 

— >•  (f 

□  4  : 

Uip  QQip 

[a]F: 

[a]ip  f-)-  {a)ip 

[a]K: 

[a]((^  -^xf)  ^  ([q:]</7  -4  [a]^) 

[a]D: 

[a]ip  -4  (a)v? 

(a)Cont  : 

\a)n(p  □(a)(/3 

(a)V: 

(a)(v?  V  V’)  <4  ((q;)v?  V  {cx)xf) 

(ap)  : 

{ap)ip  Gf  {a){p)(p 

(«  +  /?): 

{a  +  p)(p  {{a)(p  V  {p)ip) 

(a*): 

{a*)(p  f4  ((^  V  {a){a*)(p) 

(Q;*)Ind  : 

(yj  V  A  {a)<p)) 

and  the  inference  rules: 


modus  ponens: 
O-necessitation: 
[a] -necessitation: 


if 

±. 

[a]^p 


We  write 

TPDL  \-H 

or  say  tp  is  TPDL//  provable^  if  the  formula  tp  G  Form($,  E)  has  an  TPDL  Hilbert- 
style  derivation. 


The  following  formulas  are  TPDLh  provable,  for  any  for  atomic  actions  a, 
2J,  €  Form($,S)  and  a,/?  e  Acf(S),  and  k  £  N: 


y  6 


[a]Cont  :  0[a]ip  [orjOv? 

WA  •  WCv’  A  A  [q;]V’) 

[q:]V  :  ([ajyj  V  [a]0)  ->  [a]{(p  V  V*) 

M  :  [a0]>p  f4-  [a][/3](^ 

[a  +  ^]  :  [a  +  f3](p  {[a\ip  A  [/3](y5) 

[a*]  :  [a*]v?  44  (97  A  [a][Qr*]v?) 

[a*]Ind  :  ((^  A  [a*]((^  -4  [ajv?))  [a*]w 

[q!*]T  ;  [a*]cp  ->  (p 

[q;*]4  :  [«*jia*]¥’  44  [a*](p 


(q;)A  :  (q;)(i^  a  •0)  — >  {^{a)(p  A  iQ)xl>\ 

(a*)(c.^)  :  ->  {a*)p 

(«*)T  :  ip  {a*)p 

{a*)4  :  {a*){a*)p  44  {a*)ip 


[ai  •  •  •  an]F  : 
(fli  •  •  •  a„)->  : 
(oi  •  •  •  a„)  -4; 
(oi  •  ■■an)A  : 
(oi  •  •  •a„)V  : 

(ai  •••an)T  : 
(fli  •••an)JL  : 


[«!•••  an]ip  44  (ci  •  •  •  an)(p 
“■(ai  •  •  •  an)<p  44  (oi  •  •  •  an)—<ip 

(«i  •  •  •  an)iip  -4  V’)  44  ((ci  •  •  •  a„}ip  -)■  (oi  •  •  •  a„)0) 
(oi  •  •  •  an}((p  A  V-)  44  ((ai  •  •  •  a„)p  A  (ci  •  •  •  a„)V>) 
(®1  •  •  •  <ln){ip  V  44  ((oi  •  •  •  an)p  V  (oi  •  •  •  an)‘lp) 

(ci  •  ••a„)T 

(ai  •  •  -  On)  1  44  1 


This  last  block  of  derivable  formulas  asserts  that  compositions  (ai  •  •  -  an)  of  atomic 
actions  behave  just  like  a  single  atomic  action  a:  they  are  functional  and  continuous, 
and  commute  with  all  the  Boolean  operations. 


Proposition  5.4.2  Soundness  of  TPDL  Hilbert-style  proof  system 

For  all  formulas  ip  £  Form{^,  E),  if  TPDL  f-;,  v’  then  %  \=  ip  for  all  topological 
structures  T  for  £□($,  E),  and  JCVt  (p  for  all  Kripke  frames  fC  for  £□($,  E). 


Proof.  An  easy  extension  of  Propositions  2.2.2,  2.3.5  and  3.2.2.  The  topological  and 
Kripke  validity  of  the  (Qr)Cont  and  [q;]D  axiom  comes  Proposition  5.1.7  and  Corollary 

5.2.8,  and  the  validity  of  the  PDL  axioms  for  compound  actions  is  a  straightforward 
exercise.  ■ 


Completeness  proofs  for  the  axiomatization  of  PDL  (e.g.  [KP81],  [Seg82],  [KT90]) 
can  be  easily  adapted  to  TPDL.  As  is  for  all  dynamic  logics,  the  infinitary  nature  of 
the  iteration  operation  is  the  core  complication  which  prevents  the  “cheap”  maximal 
consistent  sets  construction  from  going  through  quite  so  smoothly. 

In  virtue  of  the  equation  p{a*)  =  among  the  inductive  clauses  extending 

the  relation  map  p  from  atomic  actions  to  all  actions  in  Definition  5.2.2,  our  Kripke 
models  are  by  definition  standard  in  the  sense  of  [Koz80]:  p{oi*)  is  defined  to  be  the 
reflexive  and  transitive  closure  of  p{a). 


Definition  5.4.3  A  non-standard  Kripke  model  /or£o($,S)  is  a  quadruple 

M  =  {W,R,{R{a)}  a^j4ci(E)  ?  V) 


where 

•  W^di; 

•  RCW  X  W  is  reflexive  and  transitive; 

•  Tj-.W-^  P($)  is  a  valuation;  and 

•  for  each  a  e  Acf(S),  R{a)  CWxWisa  relation  satisfying: 

(i)  for  each  atomic  action  a  G  £,  R{a)  is  total,  functional,  and  R-monotone; 

(ii)  R{a(d)  =  R{a)oR{fi); 

(iii)  R{a  +  (d)  =  R{a)  U  R{/3);  and 

(iv)  R{oi*)  is  a  reflexive  and  transitive  relation  containing  R{oi)  (and  hence 
containing  R{ay*‘')  and  also  satisfying  the  (o*)Ind  induction  axiom,  which 
means:  for  all  w  £  W  and  ACW,  if  for  some  v  eW,  {w,  v)  €  Ria”)  and 
V  ^  A,  then  either  w  E  A  or  there  exists  u,z  eW  such  that  {w,  u)  E  R{ot*), 
(u,z)  E  R(cx),  u  ^  A  and  z  E  A. 


Now  define  Mo  =  (kKo,  Ro,  {^(Q!)}a6.4ct(E))  %)  by: 

Wq  =  {U  C  Form{^,  S)  |  f/  is  maximal  TPDL-consistent} 
{U,  V)  E  Ro  iff  (V(/?  E  Form{ff,  S))[  □(/?  E  U  ^  ip  EV] 
{U,  V)  E  Ro{oc)  iff  (Vv?  G  Form{^,  E))[  G  K  =»  {a)ip  E  U  ] 
rioW)  =  {pe<t>\  peU} 
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From  the  proofs  of  Propositions  2.3.7  and  3.2.3,  /To  is  a  reflexive  and  transitive  binary 
relation  on  Wq,  and  for  each  atomic  action  a  G  S,  the  relation  Ro{a)  defines  the  total 
function: 

(FhCa))  (U)  =  W  ^  Form($,  S)  |  {a)(p  eU} 
virhich  “peels-off”  one  (a);  moreover,  each  Fo{a)  is  /To-monotone. 

Lemma  5.4.4  The  structure  Mo  =  {/To(o:)}ae^ct(£)>  ^o)  is  a  non-standard 

Kripke  model  for  £a(^>,  S),  and  for  all  tp  G  Form{^,  S)  and  U  G  Wo, 

^  ■I'.JO  T  iff 

Proof.  For  the  first  part,  it  suffices  to  show  that  the  relations  {/?o{«)}a€/ic((E)  satisfy 
conditions  (ii),  (iii),  and  (iv).  The  reasoning  is  identical  to  that  for  PDL;  see,  for 
example,  [Seg82],  §4.  The  “Truth  Lemma”  is  a  straightforward  induction  on  formulas. 


The  failure  of  the  converse  of  the  condition: 

/TCa)”'"  C  R{a*) 

is  due  to  the  failure  of  compactness:  every  finite  subset  of 

C  =  {(o:*)p}  U  {-'(q'^)p  I  G  N} 

is  satisfiable  (in  a  standard  Kripke  model),  but  C  is  not  satisfiable.  To  produce  a 
standard  Kripke  model  in  which  a  TPDL/f  non-provable  formula  is  falsified  (or  in 
which  a  TPDL-consistent  formula  is  satisfied),  we  continue  to  follow  the  pattern  of 
PDL  completeness  proofs  by  taking  a  filtration  (or  quotient)  through  the  Fischer- 
Ladner  closure.  The  Fischer-Ladner  order  on  formulas,  which  extends  the  subformula 
ordering  by  having  tp  ^  (p  whenever  tp  is  “relevant”  to  the  semantics  of  (p,  is  also 
required  for  the  proof  of  completeness  for  tableaux  in  Section  5.7  below. 

Definition  5.4.5  [FL79],  [KT90].  Let  be  the  smallest  transitive  binary  relation  on 
the  set  Form{^,  S)  of  formulas  of  /!□($,  E)  satisfying  the  following  inequalities,  for 
all  (p,'ip  €  Form($,E)  and  a,  (3  G  Ac/(E); 


H: 

(p  +  -<(p 

M: 

<p  ^  ip  Ip  and  tp  ^  (p  ‘ip 

(□): 

(p  X  0(p 

(a): 

ip  {a)ip 

(o/5)  : 

{a){f3)ip  -<  {ap)ip  and  {f3)ip  -<  {aP)(p 

{a +  13): 

{a)ip  (a  +  f3)p  and  {(3)ip  (a  +  /?)^ 

(«*): 

{a){a*)ip  -<  {a*)p 

•: 


The  relation  -<  is  called  the  Fischer- Ladner  order.  Define,  for  E  Form{^,  S), 

tjj  =4  (fi  iff  xj)  ^  Kp  or  xf  =  (f 

Then  for  any  formula  p  €  Form{^,T,),  define  the  Fischer- Ladner  closure  ofp,  de¬ 
noted  FL{p),  to  be  the  set  of  formulas: 

FL{p)  =  {V’  e  $  I  V*  V’} 

It  is  immediate  that  SF{p)  C  FL{p),  where  SF(p)  is  the  set  of  subformulas  of 
p.  The  crucial  property  is  that  -<  is  well-founded.  To  see  this,  let  |q;|  and  |<(3|  denote 
the  lengths  of  a  €  Act{'E,)  and  p  €  Form{^,  E),  respectively,  considered  as  strings 
over  the  alphabet: 

SU$U{-,+,*,(,)}U{-,-5-,D,(,)} 

where  is  used  to  denote  composition.  Then  (/3)V’  («)¥>  implies  \fi\  <  |q;|.  Since 

only  (a)  formulas  have  -^(-predecessors  that  are  not  subformulas,  it  follows  that  there 
can  be  no  infinite  descending  -(-chains,  and  every  descending  -(-chain  ends  with  an 
atomic  proposition  p  G  A  straightforward  induction  with  respect  to  -<  establishes 
that: 

IFiMI  <  Ivl 

for  all  p  G  Form($,  E). 

Let  Mo  =  {Wo,  Ro,{Ro{a)}oieAct{^),Vo)  be  the  non-standard  Kripke  model  for 
£o($,E),  as  above,  and  fix  (p  G  Form($,E).  Define  an  equivalence  relation  =<^  on 
VFoby: 

U=^V  iff  UnFL{p)  =  Vr\FL{p) 

For  each  U  G  Wo,  let  U  =  {V  ^  Wo  \  U  =y,  V}  denote  the  =<^-equivalence  class 
of  U,  and  let  denote  the  set  of  all  such  equivalence  classes.  Define  a  (standard) 
Kripke  frame  fC,p  =  {W^^,  R^,  to  be  the  minimal  quotient  (Lemma  3.3.2,  extended 
to  Kripke  frames  for  £□($,  E))  of  the  frame  of  Mo  under  the  surjective  map  h  :  Wo 
IFy  given  by  h{U)  =  U ;  i.e.  for  all  U,V  £  Wo, 

h{U)  =  h{V)  iff  UnFL{p)  =  VnFL{p) 

and 

{h{U),h{V))  £  iff  {U,V)£Ro 
and  for  each  atomic  action  a  £11,  where  graph{Fo{a))  =  Ro{a)  in  Mo, 


{uM){hiU))=h{{Fo{a)){U)) 


i.e.  u^{a)  o  h  =  ho  Fo{a).  Define  a  valuation  for  ^v’ 

=  {p€^l  pel/} 

The  Kripke  model  {IC^,r}^)  is  commonly  called  the  filtration  of  Mq  through  FL{ip). 
Note  that  K.^  has  at  most  21'^'  worlds  (states). 


Lemma  5.4.6  Filtration  Lemma. 

(a)  For  all  ^  €  FL{ifi)  and  all  U  €  Wq, 

HU)  ll-„^  ^  iff  U  ll-„^  i; 

(b)  For  all  {a)ij;  E  FL{(p)  and  all  U,V  e  Wq, 

if  {U,V)  e  Ro{a)  then  (h(f7), /i(f/))  e  p(q;) 

and 

if  (h(f/),/i(K))  €  p(a)  andtp  eV  then  {a)xp  E  U 
where  p  is  the  induced  relation  map  for  {/C^,ri^). 

Proof.  By  induction  on  the  Fischer-Ladner  order  See  [KT901,  fSeg82l,  Lemmas 
6.3A  and  6.3B.  ■ 

Proposition  5.4.7  Kripke  Completeness  of  TPDL  Hilbert-style  proof  system 
For  each  <p  6  Form($,E)j  if  TPDL  K//  <f,  then  there  exists  a  (finite)  Kripke 
model  {K.^,  r}^)  for  £d(^,  S)  such  that  r/^)  F  (p. 

Proof.  Fix  ip  E  Form($,E)  and  suppose  TPDL  Fh  p.  Then  {-v?}  is  TPDL- 
consistent,  so  there  exists  a  maximal  TPDL-consistent  set  U  such  that  -^p  E  U] 
equivalently,  p  ^  U.  Hence  in  the  non-standard  model  Mq,  we  have  U  p,  by 
Lemma  5.4.4.  Let  {lC^,ri^)  be  the  filtration  of  Ado  through  FL{ip).  Then  by  Lemma 
5.4.6,  we  have  h{U)  p.  Hence  F  as  required.  ■ 


5.5  Tableaux  Proof  System 

The  tableaux  proof  system  developed  for  the  logics  S4F  and  S4C  readily  extends  to 
TPDL.  The  tableaux  rules  for  complex  action  modalities  (a)  reflect  the  correspond¬ 
ing  axioms  in  the  Hilbert-style  system. 

Definition  5.5.1  Let  W  =  {w,-  |  i  €  N}  be  a  countable  set  of  world  symbols  and  let 
{Fi  I  J  €  N}  be  a  countable  family  of  unary  function  symbols.  Let  W(jr)  be  the 
set  of  terms,  called  world  terms,  generated  from  W  under  T .  So  every  world  term 
t  G  W(.F)  is  either  a  world  symbol  w,*  G  W,  or  else  of  the  form  (Fj„  o  —  •  o  FiJ(w,) 
for  some  function  symbols  Fjj , Fj„  G  IF. 

To  simplify  notation,  let  N*  denote  the  set  of  all  finite  strings  (sequences)  over  N, 
with  the  empty  string  A  G  N*.  For  each  i  G  N  and  a  G  N*,  define  the  term  F<r(w,)  by 
induction  on  strings  as  follows: 

.  Fa(w.)  =  w.- 
F^-i(w.)  =  Fj(F^(w,)) 

where  cr"  j  is  the  result  of  adjoining  j  ^  N  to  the  string  a. 

It  is  immediate  that  W(.F)  is  in  one-one  correspondence  with  the  set  N  x  N* 
under  t  ^  (^<^)  iff  ^  =  Fo^(w,).  We  also  assume  we  have  a  fixed  enumeration 
E  =  {oj  I  i  G  N}  of  atomic  actions  of  the  language  £o($,E).  In  the  canonical 
term  frame,  the  atomic  action  aj  will  be  interpreted  by  the  term  constructor  function 
t  !-)■  Fj(t),  or  in  the  string  notation,  Fff(w,)  i->-  F(,-j(w,). 

Definition  5.5.2  For  each  formula  ip  G  £a($,S),  define  to  be  the  set  of  indices 
of  atomic  actions  appearing  in  p: 

S*  =  O'  e  N  I  €  FL(if)} 

Let  E*  denote  the  set  of  all  finite  sequences  over  E^. 

If  t  =  Fo-(w,)  and  a  G  then  t  is  said  to  be  relevant  to  any  signed  forcing 
assertion  T[  Wi  \\-  q>\  or  F[  Ih  ]  which  has  as  its  subject  and  ip  as  its  object. 


Definition  5.5.3  The  class  of  atomic  tableaux  includes  the  labeled  binary  trees  [T- 
AP),  {F-AP),  (T-),  (F-),  (T  -^),{F  (TO),  and{Fa),  of  Definition  f.l.S,  with 

atomic  formulas  p  G  $  =  AP,  formulas  ip,t(>  G  Form($,E),  and  world  terms  t,s  E 
and  in  addition,  the  following  labelled  binary  trees: 
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Definition  5.5.4  The  class  o/TPDL  tableaux  is  defined  inductively  as  follows: 

(i)  If  T  is  an  atomic  tableaux  in  which  the  world  term  t  in  the  root  entry  is  a  world 
symbol  w,-  G  W,  then  t  is  a  TPDL  tableaux. 

For  the  case  {FO),  the  condition  that  the  Wj  in  w,Rwj  be  “new”  merely  means 
that  j  /  i;  for  definiteness,  we  may  take  j  =  i-\-  I . 

For  the  case  (TO),  the  condition  that  tRs  “occurs  previously  on  this  path” 
cannot  be  satisfied  in  this  case,  so  an  atomic  tableaux  r  with  root  entry  T[  w,-  Ih 
□yj  ]  consists  of  the  root  node  only. 

(ii)  IfT  is  a  finite  TPDL  tableaux,  P  is  a  path  in  r  which  does  not  contain  contra¬ 
dictory  entries: 

T[  t\\^  cp  ]  and  F[t  \\-  (p  ] 

for  any  formula  (p  G  Form($,  E)  and  t  G  and  r  is  constructed  from  r 

by  extending  P  using  one  of  the  following  construction  rules,  then  r  is  a  TPDL 
tableaux. 

(Develop)  A  signed  forcing  assertion  E  occurs  on  P  and  t'  is  constructed  from 
T  by  appending  an  atomic  tableaux  with  root  entry  E  to  the  end  of  the  path 

P. 

For  the  case  {FO),  where  E  is  of  the  form  F[  t  It-  ^^p  ],  the  condition  that 
the  Wj  in  fRwj  be  “new”  means  that  j  G  N  is  the  least  integer  such  that 
Wj  is  yet  to  occur  in  any  entry  on  t. 

For  the  case  (TD),  where  E  is  of  the  form  T[  t  lb  Uip  ],  the  condition 
that  tRs  “occurs  previously  on  this  path”  means  that  fR^  is  an  entry  on 
P.  If  there  are  no  entries  tUs  on  P,  for  any  s  G  W(.7^),  then  as  in  (i),  the 
atomic  tableaux  in  this  case  consists  only  of  the  root  node  labelled  E. 

(R-Reflex)  A  world  term  t  G  W (F')  is  relevant  to  some  signed  forcing  asser¬ 
tion  on  P,  and  r  is  constructed  from  r  by  adjoining  to  the  end  of  P  an 
entry  fRt. 

(R- Trans)  For  some  t,s,r  G  W(.F),  accessibility  assertions  tRr  and  rRs  both 
occur  as  entries  on  P,  and  r  is  constructed  from  r  by  adjoining  to  the  end 
of  P  the  entry  tRs. 

(Fj-Cont)  For  some  t,s  ^  W(F),  an  accessibility  assertion  fR^  occurs  as  an 
entry  on  P,  j  G  where  (p  is  the  object  formula  in  the  root  entry  of 
P,  and  T  is  constructed  from  r  by  adjoining  to  the  end  of  P  the  entry 
Fy(()RF,(s). 
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(iii)  //  /  :^  N  and  {r„}„g/  is  a  sequence  of  finite  TPDL  tableaux  such  that  tq  is 
an  atomic  tableaux  and  for  each  n  <  sup(/),  r„+i  is  constructed  from  t„  by  an 
application  of  clause  (ii),  then  r  =  Une/'’^n  ®  TPDL  tableaux. 


Definition  5.5.5  Given  two  signed  forcing  assertions  5'[  f  ll-  ]  and  5''[  t' ll-  ip'  ], 
with  S,S'  G  {T,F},  t,t'  G  W(.^)  and  G  Form($,E),  we  say  that  t'  Ih  ip'  ] 

is  a  direct  descendant  of  S[t\\-<p]  iff  5'[  t'  Ih  (p'  ]  is  an  entry  in  the  atomic  tableaux 
which  has  iS'[  t  Ih  (^  ]  as  its  root  entry. 


Lemma  5.5.6  If  S'[  t'  Ih  ip'  ]  is  a  direct  descendant  ofS[t\\-ip]  then  ip'  <  ip  in  the 
Fischer-Ladner  ordering  (Definition  5.4-5). 

Proof.  Immediate  from  the  definitions.  ■ 

We  will  of  course  be  using  the  Fischer-Ladner  ordering  rather  than  the  subformula 
ordering  in  inductive  proofs. 


5.6  The  Term  Frame  of  a  Path 

The  term  frame  is  this  setting  is  just  a  beefed-up  version  of  the  term  frames  for  paths 
in  S4F  and  S4C  tableaux. 

Definition  5.6.1  Let  t  be  a  TPDL  tableaux  with  ip  €  Form($,  S)  the  object  of  the 
root  entry,  and  let  P  be  a  path  through  r.  We  associate  with  P  a  unique  Kripke  frame 
Kp  =  {Wp,Rp,up),  called  the  term  frame  for  P,  as  follows. 

Let  Wo  be  the  set  of  all  world  symbols  w,-  €  W  that  are  the  subject  of  a  signed 
forcing  assertion  on  P .  Recall  that  2,^  is  the  set  of  indices  of  atomic  actions  appearing 
in  ip.  Define  Ep  =  S,^,  and  define: 

Wp  =  {F<,(w.)  I  w,-  €  Wo  and  cr  6  S;} 

i.e.  Wp  C  W(F)  is  the  smallest  subset  ofW{T)  that  contains  all  world  terms  that  are 
the  subject  of  some  signed  forcing  assertion  on  P  and  is  also  closed  under  application 
of  all  appropriate  Fj  (for  j  €  ^<p);  equivalently,  Wp  is  the  set  of  all  terms  in 
that  are  relevant  to  some  signed  forcing  assertion  on  P. 

The  relation  Rp  on  Wp  is  defined  to  be  the  reflexive,  transitive  and  Fj -functional 
closure,  for  all  j  e  Ep,  of  the  relation  R  on  Wp  defined  by: 

{t,s)eR  ^  tRs  is  an  entry  on  P 


Ill 


for  all  t,s  ^  Wp.  That  is, 


where 


«<■  =  U 

m€N 


Rt 

p+ 

“m+l 


{(f,  <)  I  t  6  Wp},  the  identity  relation  on  Wp 
R  =  {{t.,s)  €  Wp  X  Wp  I  fRs  is  an  entry  on  P} 

Rl  U  {(i,s)  I  (3r  e  W,)  (t,r)  6  K  and  (r.s)  €  ft*} 
i(t),r i{s))  I  (i,s)  e  ftj  and  j  €  Sp} 


For  each  aj  G  S,  define  the  function  iyp{aj)  :  Wp  Wp  by 


{up{aj))  {t) 


■I 


F,-(i) 


■/  }  e  Sp 

otherwise 


for  all  t  G  Wp;  i.e.  up^af)  is  the  term  constructor  function  t  t-4  Fj(t)  on  Wp  if  the 
atomic  action  Uj  occurs  in  the  object  formula  tp  of  the  root  entry  of  P,  and  the  identity 
function  otherwise. 


In  this  setting,  the  notion  of  a  Kripke  model  (/C,  rj)  agreeing  with  a  path  P  is  the 
obvious  extension  of  the  notion  in  Definition  4.2.5:  /C  is  a  quotient  of  ICp,  under  some 
quotient  map  h  :  Wp  W,  where  h  preserves  Rp  and  R,  the  family  of  maps  {i'(a)}ags 
for  K.  and  {i/p(a)}a6E  for  tCp  satisfies  i/{a){h{t))  =  h{up(a){t))-,  and  h  preserves  the 
0  valuations  described  on  P. 

The  process  of  constructing  a  TPDL  tableaux  proceeds  analogously  with  the 
process  of  constructing  an  S4F  or  S4C  tableaux.  In  particular,  if  P  is  a  path  through 
a  TPDL  tableaux  r,  t'  is  a  TPDL  tableaux  obtained  from  r  by  extending  P  by 
applying  one  of  the  tableaux  construction  rules  in  clause  (ii)  of  Definition  5.5.4,  and 
4^  P'  is  any  path  through  r'  extending  P,  then: 


(a)  If  the  rule  applied  is  not  the  (FD)  case  of  the  (Develop)  rule,  then  we  have: 

JC’pi  ~  lC,p 


(b)  If  the  rule  (FD)  is  applied  to  an  entry  F[  t  Ih  Uxf  ]  occurring  on  P,  where 
t  =  F<,(w,)  €  Wp,  and  k  £  N  is  the  least  such  that  is  yet  to  occur  in  any 
entry  on  r,  then: 


•  i  <  k] 

•  Wp'  =  Wp  U  {Ft^(wfc)  I  u)  G  Sp,},  where  Ep  =  Sp<; 
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•  Rp>  is  the  reflexive,  transitive  and  Fj-functional  closure  in  Wp,,  for  j  e  Ep 
of /2p  U  {(F^(w,),Virfc)}; 

•  for  each  j  e  Ep,  i^p'(aj)  is  the  term  constructor  function  on  Wp-  uniquely 
extending  i/p(aj),  and  the  identity  function  otherwise. 

Theorem  5.6.2  Kripke  Soundness  of  TPDL  tableaux 
For  all  formulas  (p  G  Form{^,  E), 

i/TPDL  hy  (p  then  for  all  Kripke  frames  K,  for  £□($,  E),  K.  It-  p. 

Proof.  The  additional  tableaux  rules  for  complex  actions  create  no  complications  in 
the  main  path  extension  lemma  on  the  inductive  construction  of  tableaux  since  these 
rules  do  not  involve  the  introduction  of  new  primitive  world  terms.  ■ 

Contemplation  of  the  tableaux  construction  rules  reveals  the  following: 
if  F<^(w,)  RF^(wfc)  is  an  entry  on  P, 

then  i  <  k  and  <j  =  tt  w  for  some  (possibly  empty)  string  tt  G  Ep, 
and  F,r(w,)Rwfc  is  an  entry  on  P. 

For  strings  cr, cj  G  Ep,  define  the  final  segment  ordering  <  by:  u  <  a  iff  a  =  tt'o; 

for  some  string  tt  G  Ep.  Equipped  with  this  extra  machinery,  we  can  easily  describe 
the  chains  in  the  term  frame. 

Proposition  5.6.3  Let  t  be  a  TPDL  tableaux,  let  P  be  a  path  through  t,  and  let 
fCp  =  {Wp,  Rp,  Up)  be  the  term  frame  for  P. 

Then  for  each  t  =  F<,(w,)  G  Wp,  every  Rp  chain  from  t  is  of  the  form: 

(F^(w,))  *  (F„^.(w.-J  1  i  G  J) 

for  some  0  J  X  N,  where 

i  <  io  <  ij  <  ij^i  and  ujj+i  <Cjjj<ujo<a 

for  all  j  <  sup(J). 

So  the  term  frame  Kp  has  the  following  properties:  Wp  is  countably  infinite,  Rp  is 
a  partial  order,  and  for  each  aj  G  E,  Up{aj)  is  continuous  and  injective. 

Hence  the  induced  continuous  D-topological  structure  Tp  =  {Wp,  Tp,  Up)  is  count¬ 
able  and  To,  with  injective  functions. 

Moreover,  the  basic  open  set  for  t  =  F^(v/,)  G  Wp  in  the  cone  topology  Tp  -  Tr 
is  of  the  form: 

Bt  =  {F<,(w,)}  U  {F<,„(w,J  I  n  G  TV} 

for  some  (possibly  empty)  subset  N  C  N,  where  i  <  i„  <  i„,  and  cOn  <  c  for  all 
n,n*  ^  N  with  n  <  n'. 


# 


Proof.  The  obvious  modification  of  the  proof  of  Proposition  4.2.8.  ■ 


5.7  Completeness  of  Tableaux 

Extending  the  completeness  result  for  the  bimodal  logics  to  TPDL  is  quite  straight¬ 
forward,  once  one  has  in  place  the  Fischer- Ladner  order  for  inductions. 

Given  a  tableaux  with  </?  €  Form{^,  S)  as  the  object  of  the  root  entry,  we  can  fix 
an  ordering  on  terms  Sj  =  F<r(w,)  €  W(.7^)  such  that  cr  6  S*  and  i  €  N,  by  taking 
some  well-ordering  on  NxS*.  The  definition  of  the  occurrence  e  of  a  signed 
forcing  assertion  E  being  reduced  on  a  path  P,  is  carried  over  from  Definition  4.4.1; 
the  m  =  p{j,l)  is  used  only  in  the  (TD)  case,  when  the  term  sj  is  dealt  with  for  the 
time.  The  definition  of  a  tableaux  being  finished  is  also  carried  over. 


Definition  5.7.1  For  each  formula  cp  G  Form($,E),  we  define  the  complete  sys¬ 
tematic  TPDL  tableaux  for  (p  to  be: 

r‘^=[jrn 

ne/ 

for  some  I  N,  where  the  sequence  of  finite  TPDL  tableaux  {T„}„g/  fortp  is  defined 
inductively  as  in  Definition  f.f.S,  except  that  Case  3  of  stage  n-|-l,  which  is  modified 
as  follows: 

Case  3:  n  =  4A;  -f  3,  for  fc  G  N. 

Construct  r„+i  from  t„  by  appending,  to  the  end  of  each  non-contradictory  path 
P  through  t„,  an  entry  FmC-St)  R-Fto(-Sj)  for  the  least  i  <  k,  the  least  j  <  k  and  the 
least  m  <  k,  such  that: 

•  me 

•  SiRsj  is  an  entry  on  P,  and 

•  Fm(5,)  RFm(sj)  does  not  yet  occur  on  P. 


Proposition  5.7.2  For  each  formula  (p  e  Form($,E),  the  TPDL-GST  is  fin¬ 
ished.  ■ 


Theorem  5.7.3  If  t  =  =  Une/^n  is  the  TPBL-CST  for  e  Form(<&,E),  P  is 

a  non-contradictory  path  through  r'^ ,  )Cp  =  (Wp,  Rp,i/p)  is  the  term  frame  of  P,  and 
rjp  is  the  path  valuation  for  1C p  (Definition  then 

(i)  for  all  t,s  e  Wp, 

tRs  is  an  entry  on  P  ^  (t,  s)  €  Rp 

(ii)  for  all  t  G  Wp  and  all  €  FL{(p), 

T[t\'r  if]  is  an  entry  on  P 

F[t  xp  ]  is  an  entry  on  P  t 

Hence  the  identity  function  on  Wp  witnesses  that  {ICp,  T]p)  agrees  with  P. 

Proof.  The  proof  of  (i)  requires  only  a  cosmetic  change  to  the  argument,  verifying 
that  P  IS  closed  under  the  (F_,-Cont)  rule  for  each  j  e  For  (ii),  there  are  extra 
cases  in  the  induction,  and  the  induction  proceeds  with  respect  to  the  Fischer-Ladner 
order  -<. 

For  example,  for  T{aP),  assume  by  induction  that  the  result  holds  for  all  formulas 
^  {a(3)7p  and  all  world  terms  in  Wp.  Fix  t  e  Wp  and  suppose  T[  t  Ih  (a/?)V>  ]  is  an 
entry  on  P.  Then  since  (every  occurrence  of)  this  entry  is  reduced,  T[  t  Ih  {a){(3)tf  ]  is 
an  entry  on  P.  Hence  by  the  induction  hypothesis,  we  have  t  {a){/3)'tf.  Since 

(q;/3)V’  <-)■  {a){ld)xl} 

is  Kripke  valid,  it  follows  that  t  (0;/?)^’,  as  required. 

The  other  additional  cases  proceed  similarly,  appealing  to  the  Kripke  validity  of: 

(a  +  P)xj)  ■H-  {a)if  V  (/3)V’ 

(a*)^  ^  {rpV  {a){a*)-^  ■ 


Theorem  5.7.4  Kripke  completeness  of  TPDL  tableaux 

For  each  formula  (p  ^  F orm($,S),  t/TPDL  F7  y>,  then  there  is  a  countable 
partially-ordered  Kripke  frame  K  for  Ca{^^  S)  and  a  valuation  v  for  1C  such  that 


Proof.  Same  as  the  proof  of  Theorem  4.4.8.  ■ 
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5.8  Finite  Quotients  and  Decidability 

We  have  in  fact  already  proved  the  finite  model  property  in  Proposition  5.4.7,  but 
since  tableaux  are  more  pleasing  to  contemplate  that  maximal  consistent  sets,  we 
sketch  the  finite  quotient  argument  for  the  term  frame.  If  one  were  inspired,  one  could 
formalize  the  correspondence  between  the  filtration  of  the  non-standard  canonical 
model  through  the  Fischer-Ladner  closure,  and  the  finite  quotient  constructed  here. 

Definition  5.8.1  For  each  ip  G  Form($,S),  let  F L((p)  denote  the  Fischer-Ladner 
closure  of  (p,  as  defined  in  Definition  5.4-5. 

Define  signed  Fischer-Ladner  closure  of  (p,  SFL{(p),  by: 

SFL{<p)  =  {T[V>]  I  0  G  FL{p)}  U  {  F[0]  I  V-  G  FLi^)} 

Let  T  be  a  TPDL-C'57’  for  (p  G  Form($,  E). 

For  each  world  term  t  G  W(iF)  and  path  P  through  t,  define 

Sp{t)  =  {  T[V’]  \  T[t  \[-  Ip  ]  is  an  entry  on  P  } 

U  {  F[tp]  I  F[t\^  Ip]  is  an  entry  on  P  } 

A  subset  S  C  SFL{p)  is  called  inconsistent  if  there  is  a  xp  £  FL{(p)  such  that 
both  T[(p]  G  S  and  F[ip]  G  S;  and  consistent  otherwise. 


On  a  path  P  through  a  tableaux,  every  set  Sp{t)  C  SFL{p>),  and  if  the  cardinality 
\FL{(p)\  =  n,  then  the  total  number  of  consistent  subsets  S  C  SFL{(p)  is: 


E^‘0=’’ 

fc=0 


Definition  5.8.2  Let  r  be  the  TPDL-CIST  for  p  G  Form{^,  E),  let  P  be  a  path 
through  r,  and  let  ICp  =  (IFp,  Rp,  Up)  be  the  term  frame  for  P,  with  rjp  the  path  valua¬ 
tion. 

Define  an  equivalence  relation  =p  on  Wp  by: 

t  =p  s  iff  Sp{t)  =  5'p(s) 

Let  i  =  {s  £  Wp  I  t  =p  s}  and  let  Wf  denote  the  set  of  all  =p- equivalence  classes 
i.  Define  ICf  =  (Wf.,Rf,Ff)  to  be  the  minimal  quotient  under  the  surjective  map 
h  :  Wp  — >■  wf  given  by  h{t)  =  i;  i.e.  for  all  t,s  £  Wp, 

h{t)  =  h{s)  ^  Sp{t)  =  Sp{s) 
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and 


and 


{hit),h{s))e  Rf  ^  {t,s)eRp 


(4iaj))  {h{t))  =  h{iup{aj)){t)) 


h{Fi{t))  ifj  e 
h{t)  otherwise 


Theorem  5.8.3  Finite  model  property  for  TPDL. 

Let  T  he  the  TPDL-CIS'T  for  ip  6  Form(^,  S)  with  root  F[  Wq  IH  (p  ],  and  suppose 
P  is  a  non-contradictory  path  through  r.  Let  Kp  =  {Wp,Rp,up)  be  the  term  frame 
for  P,  with  ijp  its  canonical  valuation,  and  let  K*  =  {Wf,R*,u*)  be  the  minimal 
quotient  of  1C p  under  =p.  Then: 


(a)  The  equivalence  relation  =p  is  of  finite  index:  if  n  =  \FL{<p)\  then 

(b)  The  induced  valuation  7]f  :  Wf  P(^)  given  by: 

'r}f{h(t))  =  Tjpft)  =  {p  €  ^  I  T[  t  If-  p  ]  is  an  entry  on  P} 
is  well-defined. 

(c)  For  all  V’  G  FL{(p)  and  t  G  Wp, 


W* 


<  3". 


h{t)  ^  ^  t  If-  ^ 

where  If-  abbreviates  Ih^^'’  and  Ih#  abbreviates  Ih^J . 

Vp 

Hence  {tCf  ,r)f)  agrees  with  P,  and  in  particular,  /i(wo)  IF#  (p,  so 

{K.f,rii*)¥ip 

Proof.  Using  the  Fischer  Ladner  order,  the  induction  in  part  (c)  requires  only 
straightforward  appeals  to  the  definitions  of  forcing.  ■ 


Corollary  5.8.4  The  logic  TPDL  is  decidable. 


Corollary  5.8.5  For  each  formula  v?  e  Form(^>,S),  the  following  are  equivalent: 
(1.)  TPDL  hr  (f 
(2.)  TPDL  \-H  q? 

(3.)  T  1=  V?  for  all  topological  structures  T  for  £□($,  S), 

(4.)  %  \=  (p  for  all  D-topological  structures  %  for  Ca{^,^), 

(5.)  1C\\-  (p  for  all  Kripke  frames  K,  for  £a(*5,  S), 

(6.)  “X  j=  p  for  all  countable  Tq  D-topological  structures  %  for  £□($,  E), 

(7.)  JCW-  p  for  all  countable  partially- ordered  Kripke  frames  K  for  £□($,  E), 

(8.)  K.\\-  p  for  all  finite  Kripke  frames  1C  for  £□($,  E). 

Proof.  (8.)  (1.)  is  the  finite  model  property,  and  (5.)  (8.)  is  trivial.  (7.)  (1.) 

is  the  completeness  theorems  for  TPDL  tableaux,  in  Theorem  5.7.4.  (1.)  =>  (5.)  is  the 
Kripke  soundness  of  TPDL  tableaux,  in  Theorem  5.6.2.  (3.)  (4.)  and  (5.)  =»  (7.) 

are  trivial.  (4.)  (5.)  and  (6.)  ^  (7.)  are  Corollaries  5.2.6  and  5.2.7.  (2.)  =^>  (3.) 

is  the  topological  soundness  of  the  Hilbert-style  proof  system,  in  Proposition  5.4.2 
(3.2.2).  And  (5.)  (2.)  is  the  Kripke  completeness  results  for  the  Hilbert-style  proof 

system,  in  Proposition  5.4.7.  ■ 


5.9  Conclusion 

The  larger  goal  of  this  investigation  was  to  provide  a  logical  foundation  for  hybrid 
control  systems  in  which  topological  structure  is  taken  seriously.  This  work  is  at  least 
a  modest  contribution  to  that  endeavor,  and  will  serve  as  a  base  for  future  research. 
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